CVE-2025-58362
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | From 4.8.0 (inc) to 4.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Hono web application framework versions 4.8.0 through 4.9.5 in the getPath utility function. The function incorrectly parses URL paths by relying on fixed character offsets when handling malformed absolute-form Request-URIs. This can cause path confusion, leading to incorrect path extraction. As a result, proxy-level access control lists (ACLs), such as Nginx location blocks that protect sensitive endpoints like /admin, could be bypassed, potentially allowing unauthorized access. [1, 2]
How can this vulnerability impact me? :
If you use Hono versions 4.8.0 through 4.9.5 and rely on proxy ACLs to protect sensitive endpoints, this vulnerability could allow attackers to bypass those ACLs and gain unauthorized access to restricted areas such as /admin. The confidentiality impact depends on the data exposed; if sensitive administrative data is accessed, the impact is high. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing how your application and proxy handle malformed absolute-form Request-URIs that could cause path confusion. You can craft HTTP requests with malformed URLs such as 'http:/example.com/hello', 'http:///hello', or 'http://a/:/hello' and observe if the proxy ACLs (e.g., Nginx location blocks) are bypassed or if the application incorrectly extracts the path. Using tools like curl or netcat to send these malformed requests and monitoring access logs or proxy behavior can help detect the issue. For example, you can use curl commands like: curl -v -X GET 'http:/example.com/admin' or curl -v -X GET 'http:///admin' to test if access controls are bypassed. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the hono package to version 4.9.6 or later, which contains the fix for the flawed getPath utility function. This update corrects the URL path parsing logic to prevent path confusion and unauthorized access. Additionally, review your proxy ACL configurations and consider rejecting malformed absolute-form Request-URIs at the proxy level if possible. Users relying on reverse proxies like Nginx for access control should apply the update promptly to avoid exploitation. [1, 2]