CVE-2025-58362
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono From 4.8.0 (inc) to 4.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hono web application framework versions 4.8.0 through 4.9.5 in the getPath utility function. The function incorrectly parses URL paths by relying on fixed character offsets when handling malformed absolute-form Request-URIs. This can cause path confusion, leading to incorrect path extraction. As a result, proxy-level access control lists (ACLs), such as Nginx location blocks that protect sensitive endpoints like /admin, could be bypassed, potentially allowing unauthorized access. [1, 2]

Impact Analysis

If you use Hono versions 4.8.0 through 4.9.5 and rely on proxy ACLs to protect sensitive endpoints, this vulnerability could allow attackers to bypass those ACLs and gain unauthorized access to restricted areas such as /admin. The confidentiality impact depends on the data exposed; if sensitive administrative data is accessed, the impact is high. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network. [1, 2]

Detection Guidance

This vulnerability can be detected by testing how your application and proxy handle malformed absolute-form Request-URIs that could cause path confusion. You can craft HTTP requests with malformed URLs such as 'http:/example.com/hello', 'http:///hello', or 'http://a/:/hello' and observe if the proxy ACLs (e.g., Nginx location blocks) are bypassed or if the application incorrectly extracts the path. Using tools like curl or netcat to send these malformed requests and monitoring access logs or proxy behavior can help detect the issue. For example, you can use curl commands like: curl -v -X GET 'http:/example.com/admin' or curl -v -X GET 'http:///admin' to test if access controls are bypassed. [2, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the hono package to version 4.9.6 or later, which contains the fix for the flawed getPath utility function. This update corrects the URL path parsing logic to prevent path confusion and unauthorized access. Additionally, review your proxy ACL configurations and consider rejecting malformed absolute-form Request-URIs at the proxy level if possible. Users relying on reverse proxies like Nginx for access control should apply the update promptly to avoid exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart