From 268cb9482a68902bf9b09bf218df29531c955ca1 Mon Sep 17 00:00:00 2001
From: Chris Wanstrath <chris@ozmm.org>
Date: Fri, 20 Feb 2026 16:08:25 -0800
Subject: [PATCH] Fix path traversal vulnerability in static file serving

---
 src/index.tsx | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/index.tsx b/src/index.tsx
index a434cd4..9140304 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -1,4 +1,4 @@
-import { join } from 'path'
+import { join, resolve } from 'path'
 import { render as formatHTML } from './lib/html-formatter'
 import { type Context, Hono, type Schema, type Env } from 'hono'
 import { serveStatic } from 'hono/bun'
@@ -174,7 +174,8 @@ export class Hype<
 
     // serve transpiled js
     this.on('GET', ['/client/:path{.+}', '/shared/:path{.+}'], async c => {
-      const reqPath = './src/' + c.req.path.replace('..', '.')
+      const reqPath = resolve('./src/', c.req.path.slice(1))
+      if (!reqPath.startsWith(resolve('./src/'))) return render404(c)
 
       // strip known extension to get base path
       const base = reqPath.replace(/\.(js|jsx|ts|tsx)$/, '')