Skip to content

fix: upgrade @hono/node-server to 1.19.10 (CVE-2026-29087)#16748

Open
orbisai0security wants to merge 1 commit into
CherryHQ:mainfrom
orbisai0security:fix-cve-2026-29087-hono-node-server
Open

fix: upgrade @hono/node-server to 1.19.10 (CVE-2026-29087)#16748
orbisai0security wants to merge 1 commit into
CherryHQ:mainfrom
orbisai0security:fix-cve-2026-29087-hono-node-server

Conversation

@orbisai0security

Copy link
Copy Markdown
Contributor

Summary

Upgrade @hono/node-server from 1.19.9 to 1.19.10 to fix CVE-2026-29087.

Vulnerability

Field Value
ID CVE-2026-29087
Severity HIGH
Scanner trivy
Rule CVE-2026-29087
File pnpm-lock.yaml
Assessment Likely exploitable

Description: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Evidence

Scanner confirmation: trivy rule CVE-2026-29087 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • package.json
  • pnpm-lock.yaml

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

Automated dependency upgrade by OrbisAI Security

Signed-off-by: orbisai0security <mediratta01.pally@gmail.com>
@orbisai0security orbisai0security requested a review from a team July 5, 2026 06:34
@DeJeune

DeJeune commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

This comment was translated automatically.

We are not using this dependency.


Original Content

我们并没有使用这个依赖

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants