CVE-2024-32869

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65	Patch
https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347	Exploit Vendor Advisory
https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65	Patch
https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2024-04-23 21:15

Updated : 2025-09-17 20:34

NVD link : CVE-2024-32869

Mitre link : CVE-2024-32869

CVE.ORG link : CVE-2024-32869

JSON object : View

Products Affected

hono

hono

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-32869", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-04-23T21:15:48.623", "references": [{"url": "https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue."}, {"lang": "es", "value": "Hono es un framework de aplicaci\u00f3n web que brinda soporte para cualquier tiempo de ejecuci\u00f3n de JavaScript. Antes de la versi\u00f3n 4.2.7, cuando se usabaserveStatic con deno, era posible recorrer el directorio donde se encontraba `main.ts`. Esto puede resultar en la recuperaci\u00f3n de archivos inesperados. La versi\u00f3n 4.2.7 contiene un parche para el problema."}], "lastModified": "2025-09-17T20:34:12.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C484AFF0-719D-4690-B302-85AD350050A9", "versionEndExcluding": "4.2.7"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}