Hono, the ultra-fast web framework for edge runtimes like Cloudflare Workers and Deno, patched a middleware bypass vulnerability in its serveStatic middleware. Attackers could access files protected by route-based middleware—such as those under /admin/*—by slipping repeated slashes (//) into request paths. The router failed to match these malformed paths, skipping authorization checks, while serveStatic normalized them and served the files anyway.
This issue stems from inconsistent path handling between Hono’s routing layer and the static file resolver. For instance, a legitimate request to /admin/secret.txt triggers middleware on /admin/*, blocking unauthorized access. But /admin//secret.txt dodges the match because the router treats repeated slashes literally, not normalizing them upfront. Meanwhile, serveStatic resolves admin//secret.txt to the same on-disk path admin/secret.txt, delivering the file without checks.
Even sneakier: requests like GET //admin/secret.txt or /static//admin/config.json bypass protections entirely if serveStatic roots at / or a parent directory. Hono’s team fixed this in a recent release by outright rejecting any path containing consecutive slashes during serveStatic processing. This enforces uniformity: no match, no service.
Technical Deep Dive
Reproduce it pre-patch with this minimal Hono app:
import { Hono } from 'hono';
import { serveStatic } from 'hono/bun'; // or equivalent for your runtime
const app = new Hono();
app.use('/admin/*', async (c, next) => {
// Simulate auth check
if (!c.req.header('Authorization')) {
return c.text('Unauthorized', 401);
}
await next();
});
app.get('/admin/*', (c) => c.text('Protected route'));
app.use('/*', serveStatic({ root: './public' })); // Serves from public/admin/secret.txt
export default app;
Hit /admin/secret.txt without auth: blocked. Try /admin//secret.txt: router skips /admin/*, serveStatic serves public/admin/secret.txt. Classic normalization mismatch, akin to historical bypasses in Nginx (merge_slashes off) or Apache’s path canonicalization flaws.
Hono’s router, built on regex patterns, doesn’t collapse slashes by default to preserve edge cases like proxy paths. File systems and Node’s fs (or Bun/Deno equivalents) do collapse them, creating the gap. The fix adds a simple regex check: if (path.includes('//')) return 400;—efficient and secure.
Impact and Real-World Risks
Affects any Hono app using serveStatic with route middleware for static file gating. No CVSS score yet, but it’s path traversal-adjacent: information disclosure of sensitive assets like .env, user uploads, or admin dashboards. In production, think Cloudflare Workers serving S3-backed assets or Deno deployments with private configs— a single bad request exposes them.
Why this matters: Developers lean on Hono’s speed (10x faster than Express) and middleware simplicity for microservices and APIs. But static auth via routes alone is brittle. This vuln highlights a broader truth—framework routers aren’t bulletproof against path tricks. Data from Snyk shows 15% of web vulns involve path manipulation; Hono users dodged a bullet, but skimping on layered defenses invites trouble.
Mitigate now: Update to the latest Hono (v3.11+ as of October 2024). Reject // at your reverse proxy (e.g., Nginx: merge_slashes on; if ($request_uri ~ "^(.*)//(.*)$") { return 400; }). Better yet, isolate static roots with serveStatic({ root: '/strict/path' }) and enforce filesystem permissions. For auth, pair middleware with signed URLs or token checks in static handlers.
Skeptical take: Hono’s fix is pragmatic—no overkill regex rewriting paths globally. But it underscores why “fast and simple” frameworks demand vigilant path hygiene. If you’re serving statics behind auth, test with fuzz tools like ffuf:
$ ffuf -u http://localhost/FUZZ -w slashes.txt -fs 0 where slashes.txt packs admin//secret.txt, /../admin, etc. Layers beat assumptions every time.
Bottom line: Patch immediately if using serveStatic. This isn’t hype—it’s a reminder that edge speed doesn’t excuse sloppy security. Hono stays lean; you stay secure.
