CVE-2025-58362

Name of the Vulnerable Software and Affected Versions Hono versions 4.8.0 through 4.9.5

Description Hono is a Web application framework that provides support for any JavaScript runtime. A flaw exists in the getPath utility function that could allow path confusion and potential bypass of proxy-level ACLs. The original implementation relied on fixed character offsets when parsing request URLs, which could lead to incorrect path extraction with malformed absolute-form Request-URIs. This could allow unauthorized access to sensitive endpoints protected by proxy ACLs.

Recommendations Update to version 4.9.6 or later.