CVE-2026-39406: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in honojs node-server
CVE-2026-39406 is a path traversal vulnerability in honojs node-server versions prior to 1. 19. 13. The issue arises from inconsistent path handling in the serveStatic function, which normalizes repeated slashes in request paths. This inconsistency can allow bypassing route-based middleware authorization that does not correctly match paths with repeated slashes, potentially exposing protected static files. The vulnerability has a medium severity with a CVSS score of 5. 3. A fix is available in version 1. 19. 13.
AI Analysis
Technical Summary
The honojs node-server before version 1.19.13 contains a path traversal vulnerability (CWE-22) due to inconsistent handling of repeated slashes in URL paths. The serveStatic function normalizes paths by collapsing repeated slashes, while route-based middleware authorization (e.g., routes like /admin/*) may fail to match these altered paths correctly. This discrepancy allows an attacker to bypass authorization middleware by crafting request paths with repeated slashes, thereby accessing protected static files. The issue is resolved in honojs node-server version 1.19.13.
Potential Impact
An attacker can bypass route-based middleware authorization controls by exploiting the path normalization inconsistency, potentially gaining unauthorized read access to protected static files. The vulnerability does not affect integrity or availability, only confidentiality of static file resources. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade honojs node-server to version 1.19.13 or later, where this path traversal vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in this version, applying this update is the recommended remediation. Patch status is not explicitly stated beyond the version fix, so verify with the vendor for any additional guidance.
CVE-2026-39406: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in honojs node-server
Description
CVE-2026-39406 is a path traversal vulnerability in honojs node-server versions prior to 1. 19. 13. The issue arises from inconsistent path handling in the serveStatic function, which normalizes repeated slashes in request paths. This inconsistency can allow bypassing route-based middleware authorization that does not correctly match paths with repeated slashes, potentially exposing protected static files. The vulnerability has a medium severity with a CVSS score of 5. 3. A fix is available in version 1. 19. 13.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The honojs node-server before version 1.19.13 contains a path traversal vulnerability (CWE-22) due to inconsistent handling of repeated slashes in URL paths. The serveStatic function normalizes paths by collapsing repeated slashes, while route-based middleware authorization (e.g., routes like /admin/*) may fail to match these altered paths correctly. This discrepancy allows an attacker to bypass authorization middleware by crafting request paths with repeated slashes, thereby accessing protected static files. The issue is resolved in honojs node-server version 1.19.13.
Potential Impact
An attacker can bypass route-based middleware authorization controls by exploiting the path normalization inconsistency, potentially gaining unauthorized read access to protected static files. The vulnerability does not affect integrity or availability, only confidentiality of static file resources. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade honojs node-server to version 1.19.13 or later, where this path traversal vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in this version, applying this update is the recommended remediation. Patch status is not explicitly stated beyond the version fix, so verify with the vendor for any additional guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T00:23:30.594Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d672521cc7ad14da85d655
Added to database: 4/8/2026, 3:20:50 PM
Last enriched: 4/8/2026, 3:35:50 PM
Last updated: 4/8/2026, 5:12:52 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.