Search criteria
6 vulnerabilities found for node-server by hono
FKIE_CVE-2024-32652
Vulnerability from fkie_nvd - Published: 2024-04-19 19:15 - Updated: 2025-09-17 20:33
Severity ?
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hono | node-server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9C7B1055-D37F-4978-8A0A-A59C056190CF",
"versionEndExcluding": "1.10.1",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
},
{
"lang": "es",
"value": "El adaptador @hono/node-server le permite ejecutar su aplicaci\u00f3n Hono en Node.js. Antes de 1.10.1, la aplicaci\u00f3n se bloquea cuando recibe un encabezado de Host con un valor que `@hono/node-server` no puede manejar bien. Los valores no v\u00e1lidos son aquellos que la \"URL\" no puede analizar como un nombre de host, como una cadena vac\u00eda, barras diagonales \"/\" y otras cadenas. La versi\u00f3n 1.10.1 incluye la soluci\u00f3n para este problema."
}
],
"id": "CVE-2024-32652",
"lastModified": "2025-09-17T20:33:36.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-19T19:15:07.067",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-23340
Vulnerability from fkie_nvd - Published: 2024-01-22 23:15 - Updated: 2024-11-21 08:57
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hono | node-server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "050ADA00-CAFF-4B7D-AB88-92F4196D1289",
"versionEndExcluding": "1.4.1",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
},
{
"lang": "es",
"value": "@hono/node-server es un adaptador que permite a los usuarios ejecutar aplicaciones Hono en Node.js. Desde v1.3.0, @hono/node-server ha utilizado su propio objeto Request con un comportamiento de `url` inesperado. En la API est\u00e1ndar, si la URL contiene `..`, aqu\u00ed denominada \"puntos dobles\", la cadena de URL devuelta por la Solicitud estar\u00e1 en la ruta resuelta. Sin embargo, la `url` en la solicitud de @hono/node-server no resuelve los puntos dobles, por lo que se devuelve `http://localhost/static/.. /foo.txt`. Esto provoca vulnerabilidades al utilizar `serveStatic`. Los navegadores web modernos y el \u00faltimo comando `curl` resuelven los puntos dobles en el lado del cliente, por lo que este problema no afecta a quienes utilizan cualquiera de esas herramientas. Sin embargo, pueden ocurrir problemas si accede un cliente que no los resuelve. La versi\u00f3n 1.4.1 incluye el cambio para solucionar este problema. Como workaround, no utilice \"serveStatic\"."
}
],
"id": "CVE-2024-23340",
"lastModified": "2024-11-21T08:57:32.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-22T23:15:08.637",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2024-32652 (GCVE-0-2024-32652)
Vulnerability from cvelistv5 – Published: 2024-04-19 18:29 – Updated: 2024-08-02 02:13
VLAI?
Title
@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.10.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "node-server",
"vendor": "hono",
"versions": [
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:58:57.373374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:02.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T18:29:42.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"source": {
"advisory": "GHSA-hgxw-5xg3-69jx",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32652",
"datePublished": "2024-04-19T18:29:42.857Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23340 (GCVE-0-2024-23340)
Vulnerability from cvelistv5 – Published: 2024-01-22 23:00 – Updated: 2025-05-30 14:21
VLAI?
Title
@hono/node-server can't handle "double dots" in URL
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:34:31.017406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:21:51.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T23:00:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"source": {
"advisory": "GHSA-rjq5-w47x-x359",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server can\u0027t handle \"double dots\" in URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23340",
"datePublished": "2024-01-22T23:00:34.510Z",
"dateReserved": "2024-01-15T15:19:19.444Z",
"dateUpdated": "2025-05-30T14:21:51.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32652 (GCVE-0-2024-32652)
Vulnerability from nvd – Published: 2024-04-19 18:29 – Updated: 2024-08-02 02:13
VLAI?
Title
@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed
Summary
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue.
Severity ?
7.5 (High)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.10.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "node-server",
"vendor": "hono",
"versions": [
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:58:57.373374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:02.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T18:29:42.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"name": "https://github.com/honojs/node-server/issues/159",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"name": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
}
],
"source": {
"advisory": "GHSA-hgxw-5xg3-69jx",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32652",
"datePublished": "2024-04-19T18:29:42.857Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23340 (GCVE-0-2024-23340)
Vulnerability from nvd – Published: 2024-01-22 23:00 – Updated: 2025-05-30 14:21
VLAI?
Title
@hono/node-server can't handle "double dots" in URL
Summary
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| honojs | node-server |
Affected:
>= 1.3.0, < 1.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23340",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:34:31.017406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:21:51.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-server",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server\u0027s Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn\u0027t affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don\u0027t use `serveStatic`.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T23:00:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"
},
{
"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"
},
{
"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"
}
],
"source": {
"advisory": "GHSA-rjq5-w47x-x359",
"discovery": "UNKNOWN"
},
"title": "@hono/node-server can\u0027t handle \"double dots\" in URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23340",
"datePublished": "2024-01-22T23:00:34.510Z",
"dateReserved": "2024-01-15T15:19:19.444Z",
"dateUpdated": "2025-05-30T14:21:51.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}