Hono.js Static Site Generator Vulnerability: Path Traversal in toSSG() Exposes File System Risk

A critical path traversal vulnerability in the Hono.js web framework's static site generation function, `toSSG()`, has been disclosed. The flaw, tracked as CVE-2026-39408, allows attackers to write files outside the configured output directory. This occurs when using dynamic route parameters via `ssgParams`; specially crafted values can manipulate generated file paths to escape the intended directory boundary, posing a direct risk to the underlying file system of affected applications.

The vulnerability is present in versions prior to Hono v4.12.12. The issue was addressed in a recent dependency update, moving from version 4.12.10 to 4.12.12, which is flagged as a security update. The advisory from the Hono.js security team details that the flaw is exploitable during the static site generation process, a core feature for developers using the framework to pre-render content.

This vulnerability underscores the persistent security challenges in build tools and SSG (Static Site Generation) pipelines. Developers relying on Hono for production sites must immediately update to the patched version to mitigate the risk of unauthorized file system access. The fix is now being propagated through dependency management systems, with automated tools like RenovateBot already issuing pull requests for affected projects.