Hono contains a flaw in URL path parsing, potentially leading to path confusion
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction depending on the application and environment. If proxy ACLs are used to protect sensitive endpoints such as /admin, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be high, otherwise it may be moderate. This issue is fixed in version 4.9.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | >= 4.8.0, < 4.9.6 | 4.9.6 |
Affected products
1Patches
12 files changed · +10 −6
src/utils/url.test.ts+9 −0 modified@@ -116,6 +116,15 @@ describe('url', () => { const path = getPath(new Request('http+unix://%2Ftmp%2Fsocket%2Esock/hello/')) expect(path).toBe('/hello/') }) + + it.each([ + 'http:/example.com/hello', // invalid HTTP URL + 'http:///hello', // invalid HTTP URL + 'http://a/:/hello', // starts with `/:/` + 'x://a/:/hello', // unknown schema + ])('getPath - %s', (url) => { + expect(getPath(new Request(url))).toBe(new URL(url).pathname) + }) }) describe('getQueryStrings', () => {
src/utils/url.ts+1 −6 modified@@ -105,12 +105,7 @@ const tryDecodeURI = (str: string) => tryDecode(str, decodeURI) export const getPath = (request: Request): string => { const url = request.url - const start = url.indexOf( - '/', - url.charCodeAt(9) === 58 - ? 13 // http+unix:// - : 8 // http:// or https:// - ) + const start = url.indexOf('/', url.indexOf(':') + 4) let i = start for (; i < url.length; i++) { const charCode = url.charCodeAt(i)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9hp6-4448-45g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58362ghsaADVISORY
- github.com/honojs/hono/commit/1d79aedc3f82d8c9969b115fe61bc4bd705ec8deghsax_refsource_MISCWEB
- github.com/honojs/hono/releases/tag/v4.9.6ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.