CVE-2024-23340: 
JavaScript vulnerability analysis and mitigation

@hono/node-server, an adapter for running Hono applications on Node.js, contains a vulnerability (CVE-2024-23340) related to URL path handling. Since version 1.3.0, the package has used its own Request object with unexpected URL behavior when handling double dots (..) in paths. The vulnerability affects versions 1.3.0 to 1.4.1 (excluding 1.4.1) and was disclosed on January 22, 2024 (GitHub Advisory).

The vulnerability stems from the Request object's handling of double dots (..) in URLs. In the standard API, when a URL contains double dots, the Request object returns a resolved path. However, @hono/node-server's Request implementation does not resolve these double dots, returning unresolved paths like 'http://localhost/static/../foo.txt' instead of the expected resolved path 'http://localhost/foo.txt'. This behavior particularly affects the serveStatic functionality. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability can lead to security issues when using the serveStatic functionality, potentially exposing sensitive information. However, the impact is mitigated in modern web browsers and recent versions of curl, as they resolve double dots on the client side. Problems may only occur when accessed by clients that do not perform path resolution (GitHub Advisory).

The vulnerability has been fixed in version 1.4.1 of @hono/node-server. As a temporary workaround, users are advised not to use the serveStatic functionality if they cannot update to the patched version (GitHub Advisory).