Jan 27, 2026·5 min read·27 visits
Hono's static asset adapter used a logical OR operator (`||`) to fallback to the raw request path if a file wasn't found in the manifest. This allowed attackers to request any key present in the Cloudflare Workers KV namespace, potentially exposing internal configuration or secrets if they shared the same storage bucket as your cat photos.
A logic flaw in Hono's `serve-static` middleware for Cloudflare Workers allowed attackers to bypass the asset manifest and read arbitrary keys from the underlying KV storage. It turns out that a convenient fallback mechanism is indistinguishable from a gaping security hole.
Serverless environments like Cloudflare Workers are brilliant for compute, but they are notoriously awkward when it comes to the simple act of serving a JPEG. You don't have a filesystem. You have a distributed Key-Value (KV) store that pretends to be a filesystem. Enter Hono, the lightweight framework designed to make this headache go away.
Hono's serve-static middleware is the bridge. It takes a URL request (like /images/logo.png), looks up that path in a generated ASSET_MANIFEST (a JSON map created at build time), and finds the corresponding unique key in the KV store (something like logo.a1b2c3d4.png). It’s a clean, efficient abstraction.
But here is the rub: abstractions leak. When you rely on a middleware to decide what is public and what is private based solely on a lookup table, the logic governing that lookup had better be bulletproof. In CVE-2026-24473, that logic was about as bulletproof as a wet paper towel.
The vulnerability resides in the classic developer impulse to be 'helpful' or 'flexible'. In the Cloudflare Workers adapter, the code needs to translate a request path into a KV key. The developers anticipated a scenario where a user might request a path that exactly matches a KV key, even if it wasn't explicitly listed in the build-time manifest.
So, they implemented a fallback. If the requested path wasn't found in the ASSET_MANIFEST, the code shrugged and said, "Eh, maybe the path is the key?" and tried to fetch it anyway. This turned the middleware from a strict whitelist (only serve what is in the manifest) into a 'try everything' proxy.
This is a textbook example of fail-open logic. By allowing the raw user input to be used directly as a lookup key for the storage backend, the application implicitly trusted that the user would only ask for things they were supposed to see. In the security world, we call this 'optimism', and it is usually fatal.
Let's look at the smoking gun. The vulnerability lived in src/adapter/cloudflare-workers/utils.ts. It’s almost poetic how small the bug is.
// The Vulnerable Logic
export const getContentFromKVAsset = async (
path: string,
options?: Partial<ServeStaticOptions>
) => {
const ASSET_MANIFEST = options?.manifest || __STATIC_CONTENT_MANIFEST
// HERE IS THE BUG:
const key = ASSET_MANIFEST[path] || path
if (!key) {
return null
}
// ... fetch content from KV using 'key' ...
}Do you see it? const key = ASSET_MANIFEST[path] || path. That double pipe || operator is doing a lot of heavy lifting. It says: "If the path is in the manifest, use the mapped key. Otherwise, just use the path itself."
An attacker requests /secrets.json. The manifest obviously doesn't have an entry for /secrets.json. The code evaluates ASSET_MANIFEST['/secrets.json'], gets undefined, hits the || operator, and sets key to '/secrets.json'. It then happily queries the KV store for that key. If your build process accidentally uploaded a config file to the KV store, or if you share the KV namespace with other application logic, Hono just served it on a silver platter.
Exploiting this requires a bit of guessing, but in the world of Cloudflare Workers, namespaces are often reused to save money or simplify config. A developer might create a single KV namespace called MY_APP_DATA and throw everything in there: static assets, session data, and feature flags.
The Attack Chain:
.env, config.json, manifest.json, __STATIC_CONTENT_MANIFEST.GET /config.json.
config.json as the KV key.This bypasses the entire concept of the ASSET_MANIFEST acting as an access control list. It essentially turns the serve-static middleware into a generic Key-Value gateway for anyone with a web browser.
The fix is as simple as the bug. The Hono team removed the fallback logic. If it's not in the manifest, it doesn't exist. Period.
Here is the diff from commit cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817:
--- a/src/adapter/cloudflare-workers/utils.ts
+++ b/src/adapter/cloudflare-workers/utils.ts
@@ -36,7 +36,7 @@ export const getContentFromKVAsset = async (
ASSET_NAMESPACE = __STATIC_CONTENT
}
- const key = ASSET_MANIFEST[path] || path
+ const key = ASSET_MANIFEST[path]
if (!key) {
return null
}By removing || path, the variable key becomes undefined if the lookup fails. The subsequent check if (!key) return null triggers, and the request harmlessly 404s. This restores the 'Default Deny' posture that security components should have had from the start.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Hono Honojs | < 4.11.7 | 4.11.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-200 / CWE-668 |
| CVSS v4.0 | 6.3 (Medium) |
| Attack Vector | Network |
| Privileges Required | None |
| Impact | Information Disclosure |
| Patch Status | Released (v4.11.7) |
Exposure of Resource to Wrong Sphere
CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.
An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.
An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.
An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.