Path Confusion Vulnerability in Hono Web Application Framework
CVE-2025-58362

7.5HIGH

Key Information:

Vendor

Honojs

Status
Hono
Vendor
CVE Published:
4 September 2025

What is CVE-2025-58362?

The Hono Web Application Framework versions 4.8.0 through 4.9.5 exhibit a flaw in the getPath utility function that can result in path confusion. This vulnerability may permit unauthorized access to sensitive endpoints, particularly when proxy-level Access Control Lists (ACLs) are employed. Specifically, malformed Request-URIs can lead to inaccurate path extraction based on the application's context. Consequently, this flaw could jeopardize the confidentiality of sensitive data, especially administrative information. This issue has been resolved in version 4.9.6. For more details, visit the official advisory.

Affected Version(s)

hono >= 4.8.0, < 4.9.6

References

https://github.com/honojs/hono/security/advisories/GHSA-9...
x_refsource_CONFIRM
https://github.com/honojs/hono/commit/1d79aedc3f82d8c9969...
x_refsource_MISC
https://github.com/honojs/hono/releases/tag/v4.9.6
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.