Description

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.

INFO

Published Date :

2025-09-04T23:56:13.983Z

Last Modified :

2025-09-05T16:05:20.545Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58362 vulnerability.

Vendors Products
Hono
  • Hono
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58362.

URL Resource
https://github.com/honojs/hono/commit/1d79aedc3f82d8c9969b115fe61bc4bd705ec8de cve-icon cve-icon
https://github.com/honojs/hono/releases/tag/v4.9.6 cve-icon cve-icon
https://github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact