CVE-2025-58362

EPSS 0.05%
Veröffentlicht 04.09.2025 23:56:13
Zuletzt bearbeitet 17.09.2025 20:35:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hono ≫ Hono SwPlatformnode.js Version >= 4.8.0 < 4.9.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.139

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2

Vendor Advisory

https://github.com/honojs/hono/commit/1d79aedc3f82d8c9969b115fe61bc4bd705ec8de

Patch

https://github.com/honojs/hono/releases/tag/v4.9.6

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-58362

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58362

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58362

EUVD