js · honoHeads-up
Hono: Encoded backslash path traversal on Windows
On Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator.
What changed
On Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. This allows an attacker to bypass prefix-mounted middleware and read static files meant to be protected.
Who it affects
Windows hosts serving static files via Node, Bun, or Deno adapters that guard a static subtree with prefix-mounted middleware.
What to do today
Apply the security patch or workaround provided by the maintainers to prevent path traversal via encoded backslashes.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · hono