https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-04T22:54:54.314656+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/aa1a1ec5-992a-40b6-b4d0-ee5ad1945818/exportaa1a1ec5-992a-40b6-b4d0-ee5ad19458182026-06-04T22:54:54.707308+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "aa1a1ec5-992a-40b6-b4d0-ee5ad1945818", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47676", "type": "seen", "source": "https://gist.github.com/alon710/9a85ace33b5f15b6d07a68897c3ce675", "content": "# CVE-2026-47676: CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47676\n\n## Summary\nA path parsing and normalization inconsistency vulnerability exists in the Hono web framework prior to version 4.12.21. When hosting sub-applications via the app.mount() routing interface, Hono calculates the routing path prefix length on a percent-decoded representation of the URI but executes the path-slicing offset on the raw, percent-encoded string. This discrepancy results in malformed request paths being dispatched to mounted sub-applications, potentially leading to route bypasses, route confusion, and application-level Denial of Service.\n\n## TL;DR\nAn inconsistency between decoded prefix matching and raw path-slicing in Hono's app.mount() causes malformed path propagation and routing failures when processing percent-encoded multi-byte URI characters.\n\n## Technical Details\n\n- **CWE ID**: CWE-444 (Inconsistent Interpretation of HTTP Requests)\n- **Attack Vector**: Network (AV:N)\n- **CVSS Severity**: 5.3 Medium\n- **Exploit Status**: Proof of Concept available in test suites\n- **KEV Status**: Not listed\n- **Ransomware Use**: No known usage\n\n## Affected Systems\n\n- Hono framework web applications running on Node.js, Bun, Deno, or Cloudflare Workers\n- **hono**: < 4.12.21 (Fixed in: `4.12.21`)\n\n## Mitigation\n\n- Upgrade Hono dependencies to version 4.12.21 or higher\n- Ensure all mount prefixes are defined strictly using Unicode literals rather than percent-encoded strings\n- Implement a global catch-all exception handler to catch unhandled URIErrors resulting from malformed HTTP paths\n\n**Remediation Steps:**\n1. Identify all projects utilizing Hono by running 'npm ls hono' or equivalent package manager commands\n2. Update the project package.json to require 'hono': '^4.12.21' or higher\n3. Execute the package manager install command to apply the update ('npm install' or 'pnpm install')\n4. Review codebase usage of 'app.mount' to ensure prefixes do not contain hardcoded percent-encoded characters\n5. Re-deploy the application to production and run regression tests containing non-ASCII route characters\n\n## References\n\n- [Hono Security Advisory GHSA-2gcr-mfcq-wcc3](https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3)\n- [Fix Commit 6cbb025](https://github.com/honojs/hono/commit/6cbb025ff87fca1a3d00d0ccca0eaf3a6385c3f1)\n- [CVE-2026-47676 Record](https://www.cve.org/CVERecord?id=CVE-2026-47676)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47676) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T18:41:16.000000Z"}2026-06-04T18:41:16+00:00