CVE-2026-47676 honojs CVE debrief

Who should care

Organizations running Hono-based web applications using app.mount() with sub-applications, particularly those handling internationalized URLs or percent-encoded path segments

Technical summary

The vulnerability stems from an inconsistency between how app.mount() processes URL pathnames versus how route matching operates. The mount prefix stripping uses raw URL pathname while route matching uses percent-decoded paths. When percent-encoded multi-byte characters are present, this causes positional misalignment during prefix removal, leading to incorrect path propagation to mounted sub-applications. This can result in routing errors or unexpected behavior in applications relying on path-based logic in sub-applications.

Defensive priority

medium

Recommended defensive actions

• Upgrade Hono to version 4.12.21 or later to remediate the path handling inconsistency in app.mount()
• Review applications using app.mount() with sub-applications to verify correct path routing behavior, particularly for requests containing percent-encoded multi-byte characters
• Validate that mounted sub-applications receive expected paths when processing internationalized or encoded URL segments

Evidence notes

CVE published 2026-05-28. Advisory references GitHub Security Advisory GHSA-2gcr-mfcq-wcc3. CVSS 5.3 (MEDIUM). CWE-444 (HTTP Request/Response Smuggling) and CWE-693 (Protection Mechanism Failure) identified.

Official resources