Hono has an Arbitrary Key Read in Serve static Middleware...

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.

Basic Information

ID CVE-2026-24473

Source GitHub_M

Published Jan 27, 2026 at 19:37

Affected Product

Vendor honojs

Product hono

Version < 4.11.7

Affected Versions honojs hono < 4.11.7

CWE Classification

CWE-200 CWE-284 CWE-668

References

{
    "lastseen": "",
    "description": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.",
    "published": "2026-01-27T19:37:52.012Z",
    "modified": "2026-01-27T19:37:52.012Z",
    "type": "cve",
    "title": "Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)",
    "source": "GitHub_M",
    "references": "https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p\nhttps://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817\nhttps://github.com/honojs/hono/releases/tag/v4.11.7",
    "id": "CVE-2026-24473",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-284",
        "CWE-668"
    ],
    "cvelist": null,
    "sourceData": "honojs hono < 4.11.7",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hono",
    "version": "< 4.11.7",
    "vendor": "honojs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)_CVE-2026-24473