CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-24473

The Infinite Fallback: How Hono Leaked Your Cloudflare KV Keys

Alon Barad
Alon Barad
Software Engineer

Jan 27, 2026·5 min read·27 visits

Executive Summary (TL;DR)

Hono's static asset adapter used a logical OR operator (`||`) to fallback to the raw request path if a file wasn't found in the manifest. This allowed attackers to request any key present in the Cloudflare Workers KV namespace, potentially exposing internal configuration or secrets if they shared the same storage bucket as your cat photos.

A logic flaw in Hono's `serve-static` middleware for Cloudflare Workers allowed attackers to bypass the asset manifest and read arbitrary keys from the underlying KV storage. It turns out that a convenient fallback mechanism is indistinguishable from a gaping security hole.

The Hook: Static Files in a Serverless World

Serverless environments like Cloudflare Workers are brilliant for compute, but they are notoriously awkward when it comes to the simple act of serving a JPEG. You don't have a filesystem. You have a distributed Key-Value (KV) store that pretends to be a filesystem. Enter Hono, the lightweight framework designed to make this headache go away.

Hono's serve-static middleware is the bridge. It takes a URL request (like /images/logo.png), looks up that path in a generated ASSET_MANIFEST (a JSON map created at build time), and finds the corresponding unique key in the KV store (something like logo.a1b2c3d4.png). It’s a clean, efficient abstraction.

But here is the rub: abstractions leak. When you rely on a middleware to decide what is public and what is private based solely on a lookup table, the logic governing that lookup had better be bulletproof. In CVE-2026-24473, that logic was about as bulletproof as a wet paper towel.

The Flaw: The 'Helpful' Fallback

The vulnerability resides in the classic developer impulse to be 'helpful' or 'flexible'. In the Cloudflare Workers adapter, the code needs to translate a request path into a KV key. The developers anticipated a scenario where a user might request a path that exactly matches a KV key, even if it wasn't explicitly listed in the build-time manifest.

So, they implemented a fallback. If the requested path wasn't found in the ASSET_MANIFEST, the code shrugged and said, "Eh, maybe the path is the key?" and tried to fetch it anyway. This turned the middleware from a strict whitelist (only serve what is in the manifest) into a 'try everything' proxy.

This is a textbook example of fail-open logic. By allowing the raw user input to be used directly as a lookup key for the storage backend, the application implicitly trusted that the user would only ask for things they were supposed to see. In the security world, we call this 'optimism', and it is usually fatal.

The Code: One Operator to Rule Them All

Let's look at the smoking gun. The vulnerability lived in src/adapter/cloudflare-workers/utils.ts. It’s almost poetic how small the bug is.

// The Vulnerable Logic
export const getContentFromKVAsset = async (
  path: string,
  options?: Partial<ServeStaticOptions>
) => {
  const ASSET_MANIFEST = options?.manifest || __STATIC_CONTENT_MANIFEST
  
  // HERE IS THE BUG:
  const key = ASSET_MANIFEST[path] || path
  
  if (!key) {
    return null
  }
  // ... fetch content from KV using 'key' ...
}

Do you see it? const key = ASSET_MANIFEST[path] || path. That double pipe || operator is doing a lot of heavy lifting. It says: "If the path is in the manifest, use the mapped key. Otherwise, just use the path itself."

An attacker requests /secrets.json. The manifest obviously doesn't have an entry for /secrets.json. The code evaluates ASSET_MANIFEST['/secrets.json'], gets undefined, hits the || operator, and sets key to '/secrets.json'. It then happily queries the KV store for that key. If your build process accidentally uploaded a config file to the KV store, or if you share the KV namespace with other application logic, Hono just served it on a silver platter.

The Exploit: KV Dumpster Diving

Exploiting this requires a bit of guessing, but in the world of Cloudflare Workers, namespaces are often reused to save money or simplify config. A developer might create a single KV namespace called MY_APP_DATA and throw everything in there: static assets, session data, and feature flags.

The Attack Chain:

  1. Recon: The attacker notices the site is running Hono on Cloudflare (headers or behavior usually give this away).
  2. Fuzzing: The attacker starts requesting common filenames that shouldn't be public but might exist in a backend storage context: .env, config.json, manifest.json, __STATIC_CONTENT_MANIFEST.
  3. Execution: The attacker sends GET /config.json.
    • The middleware checks the legitimate asset manifest. It's not there.
    • The middleware falls back to using config.json as the KV key.
    • The Cloudflare runtime returns the value associated with that key.

This bypasses the entire concept of the ASSET_MANIFEST acting as an access control list. It essentially turns the serve-static middleware into a generic Key-Value gateway for anyone with a web browser.

The Fix: Killing the Fallback

The fix is as simple as the bug. The Hono team removed the fallback logic. If it's not in the manifest, it doesn't exist. Period.

Here is the diff from commit cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817:

--- a/src/adapter/cloudflare-workers/utils.ts
+++ b/src/adapter/cloudflare-workers/utils.ts
@@ -36,7 +36,7 @@ export const getContentFromKVAsset = async (
     ASSET_NAMESPACE = __STATIC_CONTENT
   }
 
-  const key = ASSET_MANIFEST[path] || path
+  const key = ASSET_MANIFEST[path]
   if (!key) {
     return null
   }

By removing || path, the variable key becomes undefined if the lookup fails. The subsequent check if (!key) return null triggers, and the request harmlessly 404s. This restores the 'Default Deny' posture that security components should have had from the start.

Official Patches

HonoOfficial Release Notes
GitHubCommit Diff

Fix Analysis (1)

Technical Appendix

CVSS Score
6.3/ 10
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Systems

Hono Framework (JavaScript)Cloudflare Workers using `serve-static` middleware

Affected Versions Detail

Product
Affected Versions
Fixed Version
Hono
Honojs
< 4.11.74.11.7
AttributeDetail
CWE IDCWE-200 / CWE-668
CVSS v4.06.3 (Medium)
Attack VectorNetwork
Privileges RequiredNone
ImpactInformation Disclosure
Patch StatusReleased (v4.11.7)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1595Active Scanning
Reconnaissance
CWE-668
Exposure of Resource to Wrong Sphere

Exposure of Resource to Wrong Sphere

Known Exploits & Detection

N/ANo public exploit code available yet, but trivial to reproduce manually.

Vulnerability Timeline

Vulnerability Published
2026-01-27
Patch Released (v4.11.7)
2026-01-27

References & Sources

  • [1]GitHub Advisory GHSA-w332-q679-j88p
  • [2]NVD Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•31 minutes ago•CVE-2026-49851
7.5

CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser

CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.

Alon Barad
Alon Barad
3 views•6 min read
•about 1 hour ago•CVE-2026-48862
8.2

CVE-2026-48862: Unbounded Resource Allocation via HTTP/2 PUSH_PROMISE Flooding in Mint

An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 3 hours ago•CVE-2026-52778
9.8

CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator

An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.

Alon Barad
Alon Barad
4 views•7 min read
•about 3 hours ago•CVE-2026-54651
5.5

CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser

An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.

Alon Barad
Alon Barad
7 views•7 min read
•about 8 hours ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 8 hours ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
6 views•6 min read