## Hono.js Framework Exposes Critical Path Traversal Flaw in Static Site Generation (CVE-2026-39408) A critical security vulnerability in the popular Hono.js web framework allows attackers to write files outside the intended directory during static site generation, posing a severe risk of arbitrary file creation and potential server compromise. The flaw, tracked as CVE-2026-39408, resides in the `toSSG()` function and is triggered when using dynamic route parameters via `ssgParams`. This path traversal issue enables specially crafted parameter values to escape the configured output directory, effectively breaking the security boundary of the static generation process. The vulnerability specifically affects the `hono` npm package. A security advisory from the Hono.js maintainers details that the flaw is present in versions prior to the patched release, v4.12.12. The update from version 4.12.7 to 4.12.12, now being pushed via automated dependency management tools like Renovate, is marked as a security fix. The core of the exploit involves manipulating dynamic route parameters to traverse up the directory tree, allowing an attacker to write generated static files to unintended locations on the host filesystem. This vulnerability has immediate and serious implications for any production system using Hono.js for static site generation (SSG). Unpatched deployments are exposed to the risk of file system manipulation, which could lead to data corruption, defacement, or serve as a foothold for further attacks. The flaw underscores the inherent risks in SSG tooling that dynamically constructs file paths from user or application input. All developers and organizations relying on Hono must urgently apply the patch to version 4.12.12 to mitigate this direct path traversal threat. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, CVE-2026-39408, path traversal, static site generation, npm - **Credibility**: unverified - **Published**: 2026-04-08 05:27:02 - **ID**: 54366 - **URL**: https://whisperx.ai/en/intel/54366