CVE-2024-23340 Information
Description
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0 @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API if the URL contains .. here called \double dots\ the URL string returned by Request will be in the resolved path. However the url in @hono/node-server’s Request as does not resolve double dots so http://localhost/static/.. /foo.txt is returned. This causes vulnerabilities when using serveStatic. Modern web browsers and a latest curl command resolve double dots on the client side so this issue doesn’t affect those using either of those tools. However problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround don’t use serveStatic.
Reference
https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359
https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402
https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45
@hono/node-server
is
an
adapter
that
allows
users
to
run
Hono
applications
on
Node.js.
Since
v1.3.0
@hono/node-server
has
used
its
own
Request
object
with
url
behavior
that
is
unexpected.
In
the
standard
API
if
the
URL
contains
..
here
called
\double
dots
the
URL
string
returned
by
Request
will
be
in
the
resolved
path.
However
the
url
in
@hono/node-server’s
Request
as
does
not
resolve
double
dots
so
[***http://localhost/static/..***](http://localhost/static/..) /foo.txt
is
returned.
This
causes
vulnerabilities
when
using
serveStatic.
Modern
web
browsers
and
a
latest
curl
command
resolve
double
dots
on
the
client
side
so
this
issue
doesn’t
affect
those
using
either
of
those
tools.
However
problems
may
occur
if
accessed
by
a
client
that
does
not
resolve
them.
Version
1.4.1
includes
the
change
to
fix
this
issue.
As
a
workaround
don’t
use
serveStatic.