DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-47676: CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting

#security #cve #cybersecurity

CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting

Vulnerability ID: CVE-2026-47676
CVSS Score: 5.3
Published: 2026-06-04

A path parsing and normalization inconsistency vulnerability exists in the Hono web framework prior to version 4.12.21. When hosting sub-applications via the app.mount() routing interface, Hono calculates the routing path prefix length on a percent-decoded representation of the URI but executes the path-slicing offset on the raw, percent-encoded string. This discrepancy results in malformed request paths being dispatched to mounted sub-applications, potentially leading to route bypasses, route confusion, and application-level Denial of Service.

TL;DR

An inconsistency between decoded prefix matching and raw path-slicing in Hono's app.mount() causes malformed path propagation and routing failures when processing percent-encoded multi-byte URI characters.

Technical Details

  • CWE ID: CWE-444 (Inconsistent Interpretation of HTTP Requests)
  • Attack Vector: Network (AV:N)
  • CVSS Severity: 5.3 Medium
  • Exploit Status: Proof of Concept available in test suites
  • KEV Status: Not listed
  • Ransomware Use: No known usage

Affected Systems

  • Hono framework web applications running on Node.js, Bun, Deno, or Cloudflare Workers
  • hono: < 4.12.21 (Fixed in: 4.12.21)

Code Analysis

Commit: 6cbb025

fix(mount): fix path slicing calculation on percent-encoded paths using getPath()

@@ -364,7 +364,7 @@
- url.pathname = url.pathname.slice(pathPrefixLength) || '/'
+ url.pathname = this.getPath(request).slice(pathPrefixLength) || '/'
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Hono dependencies to version 4.12.21 or higher
  • Ensure all mount prefixes are defined strictly using Unicode literals rather than percent-encoded strings
  • Implement a global catch-all exception handler to catch unhandled URIErrors resulting from malformed HTTP paths

Remediation Steps:

  1. Identify all projects utilizing Hono by running 'npm ls hono' or equivalent package manager commands
  2. Update the project package.json to require 'hono': '^4.12.21' or higher
  3. Execute the package manager install command to apply the update ('npm install' or 'pnpm install')
  4. Review codebase usage of 'app.mount' to ensure prefixes do not contain hardcoded percent-encoded characters
  5. Re-deploy the application to production and run regression tests containing non-ASCII route characters

References

Read the full report for CVE-2026-47676 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)