5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23340

GHSA ID

GHSA-rjq5-w47x-x359

EPSS Score

0.55718%

CWE

CWE-22

Published

1/23/2024

Updated

1/23/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23340

CVE-2024-23340:
@hono/node-server cannot handle "double dots" in URL

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23340

GHSA ID

GHSA-rjq5-w47x-x359

EPSS Score

0.55718%

CWE

CWE-22

Published

1/23/2024

Updated

1/23/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@hono/node-server	npm	>= 1.3.0, < 1.4.1	1.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the url getter in src/request.ts which directly used the raw incoming URL without path normalization. The commit diff shows the fix added path resolution using Node.js's path.resolve() when detecting '..' sequences. This matches the CWE-22 (Path Traversal) description and the advisory's impact statement about improper path handling. The vulnerable code was explicitly shown in pre-patch versions of the file, making this a clear root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sin** v*.*.*, w* us* our own R*qu*st o*j**t. T*is is *r**t, *ut t** `url` ****vior is un*xp**t**. In t** st*n**r* *PI, i* t** URL *ont*ins `..`, **r* **ll** "*ou*l* *ots", t** URL strin* r*turn** *y R*qu*st will ** in t** r*solv** p*t*.

Reasoning

T** vuln*r**ility st*ms *rom t** url **tt*r in `sr*/r*qu*st.ts` w*i** *ir**tly us** t** r*w in*omin* URL wit*out p*t* norm*liz*tion. T** *ommit *i** s*ows t** *ix ***** p*t* r*solution usin* `No**.js`'s `p*t*.r*solv*()` w**n **t**tin* '..' s*qu*n**s.

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-23340: @hono/node-server cannot handle "double dots" in URL

Impact

Patches

Workarounds

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-23340:
@hono/node-server cannot handle "double dots" in URL

Vulnerability Intelligence
Miggo AI