### [CVE-2025-58362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58362)
![](https://img.shields.io/static/v1?label=Product&message=hono&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%204.8.0%2C%20%3C%204.9.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-706%3A%20Use%20of%20Incorrectly-Resolved%20Name%20or%20Reference&color=brightgreen)

### Description

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cve-scores