CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-47676

CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting

Alon Barad
Alon Barad
Software Engineer

Jun 4, 2026·6 min read·12 visits

Executive Summary (TL;DR)

An inconsistency between decoded prefix matching and raw path-slicing in Hono's app.mount() causes malformed path propagation and routing failures when processing percent-encoded multi-byte URI characters.

A path parsing and normalization inconsistency vulnerability exists in the Hono web framework prior to version 4.12.21. When hosting sub-applications via the app.mount() routing interface, Hono calculates the routing path prefix length on a percent-decoded representation of the URI but executes the path-slicing offset on the raw, percent-encoded string. This discrepancy results in malformed request paths being dispatched to mounted sub-applications, potentially leading to route bypasses, route confusion, and application-level Denial of Service.

Vulnerability Overview

The Hono web framework provides a feature via the app.mount() method that enables developers to attach independent sub-applications or custom HTTP fetch handlers to specific path prefixes within a parent application. This architecture relies on a routing separation boundary where the parent router handles the initial route matching and subsequently delegates the request execution downstream.

To forward the request accurately, the parent application must strip the matching base path prefix from the incoming URI before invoking the sub-application handler. This ensures that the sub-application only receives the sub-path matching its internal route definitions.

Prior to version 4.12.21, a severe parsing discrepancy existed between the prefix matching phase and the prefix stripping phase. While matching was calculated using the normalized, percent-decoded representation of the URL, the stripping phase applied string slicing parameters directly to the raw, percent-encoded request pathname.

This discrepancy systematically breaks routing logic when the mount path or the incoming URI contains percent-encoded multi-byte UTF-8 characters. The mismatch between the decoded character length and the raw encoded byte length results in truncated or corrupted path segments being forwarded to the sub-application context.

Root Cause Analysis

The fundamental flaw lies in how the routing logic computes and applies the offset index for slicing the mount prefix. In JavaScript, string lengths are determined by the number of UTF-16 code units. A percent-decoded multi-byte character, such as the UTF-8 character 'é', resolves to a single code unit with a string length of one.

When a client submits an HTTP request containing a percent-encoded sequence, such as %C3%A9 (the URL-encoded representation of 'é'), the raw string length of this sequence is six. During the initial matching phase, Hono correctly normalizes the incoming path, permitting the route evaluator to recognize and match the decoded path prefix.

However, during the request propagation phase, Hono determined the slice offset by reading the .length property of the decoded path prefix and applied this numerical index directly to the un-decoded url.pathname string. Because the raw percent-encoded string is longer than its decoded counterpart, the slice operation occurs prematurely.

As a direct result of this offset misalignment, the sliced path includes leftover fragments of the percent-encoded sequence. The malformed path is then passed to the sub-application, which fails to match any valid route handlers, culminating in unexpected routing states or failure conditions.

Code Analysis

The source code of Hono prior to version 4.12.21 highlights the implementation of the vulnerable handler construction within the app.mount() pipeline. The calculations for pathPrefixLength and the subsequent modification of the pathname property illustrate the flawed assumptions.

// VULNERABLE CODE (hono-base.ts prior to v4.12.21)
const pathPrefixLength = mergedPath === '/' ? 0 : mergedPath.length
return (request) => {
  const url = new URL(request.url)
  // url.pathname contains the raw, percent-encoded path
  // pathPrefixLength is calculated based on the decoded mergedPath
  url.pathname = url.pathname.slice(pathPrefixLength) || '/'
  return new Request(url, request)
}

When a request for /api/%C3%A9/hello is routed through a sub-application mounted at /api/é, the decoded length of /api/é is calculated as 7. Slicing the raw path /api/%C3%A9/hello at index 7 removes only the prefix /api/%C and leaves 3%A9/hello intact. This malformed string becomes the new request pathname.

To remediate this issue, the patch modifies the handler to retrieve the decoded path using the internal getPath(request) method before attempting the slice. This ensures that the length subtraction occurs on a text representation that is structurally equivalent to the matched prefix.

// PATCHED CODE (hono-base.ts in v4.12.21)
const pathPrefixLength = mergedPath === '/' ? 0 : mergedPath.length
return (request) => {
  const url = new URL(request.url)
  // Both the calculation and the slice are now performed on normalized data
  url.pathname = this.getPath(request).slice(pathPrefixLength) || '/'
  return new Request(url, request)
}

Exploitation Methodology

Exploiting this vulnerability does not require specialized tools and can be accomplished via standard HTTP clients. An attacker target must have a sub-application mounted on a prefix containing multi-byte characters or special characters that undergo normalization changes during URL decoding.

To construct a reproduction, consider a sub-application defining a sensitive route /hello mounted on the parent application at /api/é. Under normal operations, a request directed to /api/%C3%A9/hello would match the sub-application's /hello handler.

Due to the slicing bug, the path forwarded to the sub-application is evaluated as /3%A9/hello. Because this path does not exist in the routing registry, the sub-application returns a 404 error, creating an immediate Denial of Service for that functional route.

If the sub-application implements wildcard handlers (/*) or fallback routes designed to handle catch-all logic, these handlers will execute instead of the intended endpoints. An attacker can manipulate the percent-encoding in the prefix to craft predictable arbitrary path inputs to the sub-application, bypassing intermediate security filters.

Impact Assessment

The impact of this vulnerability is classified as Medium, with a CVSS v3.1 score of 5.3. The primary consequences involve integrity and availability degradation of application routing mechanisms.

In microservice architectures or multi-tenant cloud worker configurations where Hono mounts sub-applications to isolate tenants or functional areas, route confusion represents a potential security bypass. An attacker can manipulate requests to escape expected prefix scopes or access fallback routes that bypass token verification routines placed on explicit paths.

Additionally, applications serving legacy internationalized paths or relying on non-ASCII route prefixes will suffer persistent Denial of Service states. Any standard browser requests containing automatic percent-encoding of Unicode characters in the path prefix will fail to resolve inside the sub-application.

No instances of exploitation in the wild have been observed. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and its low EPSS score reflects its specialized exploit requirements.

Remediation and Residual Risks

The primary remediation strategy is upgrading the Hono framework dependency to version 4.12.21 or later. The patch forces uniform use of the internal path resolver, eliminating the offset length discrepancy.

Review of the patch reveals a critical edge case regarding the manual definition of mount paths. If developers configure the mount prefix using percent-encoded literals directly (e.g., app.mount('/api/%C3%A9', subApp)), the mergedPath variable length calculation will measure the raw length (10), while the patched logic will apply this index to the decoded path (length 12), resulting in over-slicing and routing failures.

Furthermore, the getPath utility invokes decodeURI internally to handle normalization. If an attacker submits a malformed percent-encoded sequence (such as /% or /%G1) in the path prefix, decodeURI throws a native URIError exception.

If the Hono instance lacks a comprehensive global error handling middleware, this unhandled exception will propagate to the Node.js or serverless host runtime. This behavior can result in unexpected process terminations or worker crashes, exposing an alternative vector for Denial of Service attacks.

Official Patches

honojsGitHub Security Advisory GHSA-2gcr-mfcq-wcc3
honojsHono version 4.12.21 release notes

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Probability
0.07%
Top 79% most exploited

Affected Systems

Hono framework web applications running on Node.js, Bun, Deno, or Cloudflare Workers

Affected Versions Detail

Product
Affected Versions
Fixed Version
hono
honojs
< 4.12.214.12.21
AttributeDetail
CWE IDCWE-444 (Inconsistent Interpretation of HTTP Requests)
Attack VectorNetwork (AV:N)
CVSS Severity5.3 Medium
Exploit StatusProof of Concept available in test suites
KEV StatusNot listed
Ransomware UseNo known usage

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1562Impair Defenses
Defense Evasion
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The application calculates string length offsets using a percent-decoded path representation but applies the resulting offset slice to the raw percent-encoded URI string, causing parsing misalignment.

Vulnerability Timeline

Vulnerability fix committed and Hono v4.12.21 released
2026-05-19
GitHub Security Advisory and CVE-2026-47676 published
2026-05-28

References & Sources

  • [1]Hono Security Advisory GHSA-2gcr-mfcq-wcc3
  • [2]Fix Commit 6cbb025
  • [3]CVE-2026-47676 Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 17 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 18 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 19 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 20 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 21 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 22 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read