Vulnerability Details CVE-2025-58362
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.5%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2025-58362
-
cpe:2.3:a:hono:hono:4.8.0
-
cpe:2.3:a:hono:hono:4.8.1
-
cpe:2.3:a:hono:hono:4.8.10
-
cpe:2.3:a:hono:hono:4.8.11
-
cpe:2.3:a:hono:hono:4.8.12
-
cpe:2.3:a:hono:hono:4.8.2
-
cpe:2.3:a:hono:hono:4.8.3
-
cpe:2.3:a:hono:hono:4.8.4
-
cpe:2.3:a:hono:hono:4.8.5
-
cpe:2.3:a:hono:hono:4.8.6
-
cpe:2.3:a:hono:hono:4.8.7
-
cpe:2.3:a:hono:hono:4.8.8
-
cpe:2.3:a:hono:hono:4.8.9
-
cpe:2.3:a:hono:hono:4.9.0
-
cpe:2.3:a:hono:hono:4.9.1
-
cpe:2.3:a:hono:hono:4.9.2
-
cpe:2.3:a:hono:hono:4.9.3
-
cpe:2.3:a:hono:hono:4.9.4
-
cpe:2.3:a:hono:hono:4.9.5