Name of the Vulnerable Software and Affected Versions:

Hono versions 4.8.0 through 4.9.5

Description:

Hono is a Web application framework that provides support for any JavaScript runtime. A flaw exists in the `getPath` utility function that could allow path confusion and potential bypass of proxy-level ACLs. The original implementation relied on fixed character offsets when parsing request URLs, which could lead to incorrect path extraction with malformed absolute-form Request-URIs. This could allow unauthorized access to sensitive endpoints protected by proxy ACLs.

Recommendations:

Update to version 4.9.6 or later.