CVE-2026-47676: Hono Path Encoding Vulnerability in app.mount()
Hono, a JavaScript web framework, contains a path handling vulnerability in versions before 4.12.21 that affects how mounted sub-applications receive requests. When URLs contain percent-encoded characters (like %C3%A9 for é), the framework strips the mount prefix incorrectly, causing the sub-application to see a mangled path. This can lead to requests being routed to unintended endpoints or exposing sensitive information through path confusion.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-444, CWE-693
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an encoding mismatch in Hono's app.mount() implementation. The prefix stripping operation uses the raw URL pathname (as-is from the HTTP request), while route matching is performed against the percent-decoded path. When a mounted application receives a request with multi-byte percent-encoded characters, this inconsistency causes the prefix to be removed at the wrong byte position. For example, a request to /app/%C3%A9/resource might have its /app prefix stripped incorrectly, leaving the sub-application with a corrupted path that does not match the decoded intent. This affects request routing logic and can bypass path-based access controls or trigger unexpected behavior in downstream route handlers.
Business impact
Organizations using Hono for multi-tenant or modular application architectures may face path-based security boundary violations. Mounted sub-applications could receive requests with altered paths, potentially allowing access to unintended resources, information disclosure through error messages revealing internal path structure, or inconsistent security policy enforcement across routing layers. API gateways, microservices, and reverse-proxy patterns using Hono as a mount point are particularly at risk if they rely on path prefixes for authentication or authorization decisions.
Affected systems
Hono versions prior to 4.12.21 are affected. The vulnerability is relevant to any JavaScript runtime environment where Hono is deployed, including Node.js, Deno, Cloudflare Workers, and browser-based environments. Organizations must verify their specific Hono version against the fixed version 4.12.21.
Exploitability
Exploitation requires no special privileges or user interaction; a malicious actor can craft a simple HTTP request containing percent-encoded characters in the URL path and submit it directly to any Hono-based application using app.mount(). The network is accessible without authentication. However, the practical impact depends on how the mounted sub-application's routing logic and security controls interact with malformed paths. Applications with strict input validation or path normalization in sub-applications may be less impacted than those assuming path integrity at the application layer.
Remediation
Upgrade Hono to version 4.12.21 or later. This release resolves the encoding mismatch by ensuring consistent path handling between prefix stripping and route matching. No configuration workarounds are recommended; patching is the definitive solution. Teams should test the upgrade in a staging environment to confirm compatibility with their mounted sub-application configurations before deploying to production.
Patch guidance
Update your project's dependency on Hono to version 4.12.21 or later. If using npm, run `npm install hono@latest` or `npm install hono@^4.12.21`. If pinned to a specific version, update package.json and run `npm install`. For Deno projects, update the import URL to reference the fixed version. Verify the update by checking the installed version with `npm list hono` and re-run your test suite, particularly tests covering mounted sub-applications with internationalized or special characters in paths.
Detection guidance
Monitor application logs for requests with percent-encoded characters in mount paths that result in routing mismatches or 404 errors followed by unexpected behavior. Implement URL decoding validation at the sub-application entry point to catch malformed paths. Review request logs for suspicious patterns like /app/%[hex-pairs]/resource arriving at sub-applications as paths that do not match expectations. If running Hono, audit your dependency tree to identify versions prior to 4.12.21 and prioritize those instances for patching.
Why prioritize this
While the CVSS score is medium (5.3), the vulnerability should be prioritized based on deployment architecture. Applications using Hono's app.mount() feature for security-sensitive sub-applications or multi-tenant isolation should patch urgently. Organizations running Hono primarily as a simple web server without complex mounted routing can defer patching slightly but should still apply it within the normal maintenance cycle.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects a network-accessible vulnerability with low complexity and no authentication required, but limited to confidentiality impact with no integrity or availability loss in the base case. The score does not capture the full organizational context; teams relying on path-based authorization or using Hono in API gateway roles should treat this as higher priority. The vulnerability is not widely exploited (KEV status is not active) and does not directly enable ransomware campaigns.
Frequently asked questions
Does this vulnerability expose sensitive data directly?
Not directly. The vulnerability causes path confusion that may lead to information disclosure indirectly—for example, through error messages revealing internal path structure or through unintended access to resources that return sensitive information. The primary risk is bypassing intended security boundaries, not reading encrypted or protected secrets.
Which Hono runtimes are affected?
All JavaScript runtimes where Hono is deployed are affected: Node.js, Deno, Cloudflare Workers, Bun, and browser-based environments. The vulnerability is in Hono's core routing logic, not runtime-specific. Verify your Hono version in package.json or your lock file.
Can I mitigate this without upgrading?
Mitigation is difficult without patching. If upgrading is blocked, implement path normalization and validation in your mounted sub-applications to reject or correct malformed paths. However, this is fragile and does not address the root cause; patching to 4.12.21 is strongly recommended.
How do I know if my application uses app.mount()?
Search your codebase for `app.mount(` calls. If your Hono application does not use the mount() API, you are not directly affected. However, even single-instance deployments should upgrade for consistency and to future-proof against refactoring.
This analysis is based on publicly available vulnerability data as of June 2026. Security contexts vary by organization; tailor your response based on your specific use of Hono, deployed versions, and application architecture. Verify all patch versions and availability through official vendor advisories before deploying. SEC.co does not provide legal advice; consult your security and compliance teams on remediation timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10174MEDIUMAider 0.86.3 Pre-commit Hook Bypass Vulnerability
- CVE-2026-10944MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Now
- CVE-2026-10950MEDIUMChrome iOS Autofill Data Leak Vulnerability – Patch Guide
- CVE-2025-48649HIGHAndroid Local Privilege Escalation via Permission Bypass
- CVE-2025-48652HIGHAndroid MDM Bypass Logic Flaw – HIGH Severity Privilege Escalation
- CVE-2025-52609LOWHCL iControl Missing Security Headers XSS Vulnerability
- CVE-2026-0045HIGHAndroid Bluetooth Bonding Bypass Privilege Escalation
- CVE-2026-0077HIGHAndroid ActivityRecord Privilege Escalation Vulnerability