CVE-2024-23340 is a medium-severity path traversal vulnerability affecting the @hono/node-server adapter versions from 1.3.0 up to, but not including, 1.4.1. The @hono/node-server is a Node.js adapter for running Hono applications. The vulnerability arises from the adapter's custom Request object implementation, which does not properly resolve URL path segments containing double dots ('..'). In standard Node.js Request objects, URLs with '..' are normalized to their resolved paths, preventing directory traversal. However, in @hono/node-server, the URL string returned retains the '..' segments unprocessed. This behavior can lead to improper limitation of pathname access when using the serveStatic middleware, which serves static files based on the URL path. If an attacker crafts a request with '..' segments that are not resolved server-side, they may be able to access files outside the intended static directory, potentially exposing sensitive files on the server. Modern browsers and recent versions of curl resolve '..' on the client side, mitigating the risk for typical users. However, clients that do not perform such resolution may trigger the vulnerability. The issue was fixed in version 1.4.1 by properly resolving the URL path. No known exploits are reported in the wild. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact without integrity or availability effects.

For European organizations using @hono/node-server versions between 1.3.0 and 1.4.0 inclusive, this vulnerability could allow remote attackers to perform path traversal attacks via specially crafted URLs. This could lead to unauthorized disclosure of sensitive files stored on the server, such as configuration files, source code, or private data, thereby impacting confidentiality. Although integrity and availability are not directly affected, the exposure of sensitive information could facilitate further attacks or data breaches. Organizations relying on serveStatic middleware in their Hono applications are particularly at risk. The impact is heightened in sectors with strict data protection regulations like GDPR, where unauthorized data exposure can lead to regulatory penalties and reputational damage. Since exploitation requires no authentication or user interaction and can be performed remotely, the threat is significant for publicly accessible web services. However, the risk is somewhat mitigated by the fact that many clients resolve '..' sequences, reducing the likelihood of exploitation in typical scenarios.

European organizations should immediately upgrade @hono/node-server to version 1.4.1 or later, where the vulnerability is fixed by proper URL path resolution. Until upgrading is possible, avoid using the serveStatic middleware or implement additional server-side validation to sanitize and normalize URL paths before serving static files. Employ strict input validation and canonicalization to prevent directory traversal attempts. Additionally, restrict file system permissions so that the web server process has access only to necessary directories, limiting the impact of any traversal attempts. Implement web application firewalls (WAFs) with rules to detect and block requests containing suspicious '..' sequences in URLs. Regularly audit and monitor access logs for anomalous requests that may indicate exploitation attempts. Finally, educate developers about secure handling of URL paths and the importance of using updated dependencies.