Login Sign Up

CVE-2025-58362

7.5 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

This vulnerability in Hono web framework versions 4.8.0 through 4.9.5 allows path confusion attacks that could bypass proxy-level access controls like Nginx location blocks. Attackers could potentially access protected endpoints like /admin by crafting malformed absolute-form Request-URIs. Any application using affected Hono versions with proxy ACLs is vulnerable.

💻 Affected Systems

Products:
  • Hono
Versions: 4.8.0 through 4.9.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using proxy ACLs (like Nginx location blocks) to protect endpoints.

📦 What is this software?

Hono by Hono

View all CVEs affecting Hono →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive administrative endpoints leading to data exposure, privilege escalation, or system compromise.

🟠

Likely Case

Bypass of proxy-level access controls allowing access to protected endpoints that should be restricted.

🟢

If Mitigated

Limited impact if application implements additional authentication/authorization layers beyond proxy ACLs.

🌐 Internet-Facing: HIGH - Web applications are directly exposed to attack vectors.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to bypass access controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting specific malformed URLs to trigger the path parsing flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.6

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-9hp6-4448-45g2

Restart Required: Yes

Instructions:

1. Update Hono dependency to version 4.9.6 or later. 2. Update package.json: "hono": "^4.9.6". 3. Run npm update or yarn update. 4. Restart the application.

🔧 Temporary Workarounds

Implement application-level authorization

all

Add authentication/authorization checks within the application code rather than relying solely on proxy ACLs.

Use WAF rules

all

Configure web application firewall to block malformed absolute-form Request-URIs.

🧯 If You Can't Patch

  • Implement additional authentication layers at the application level for all protected endpoints
  • Monitor logs for unusual access patterns to protected endpoints like /admin

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for Hono version between 4.8.0 and 4.9.5 inclusive.

Check Version:

npm list hono or check package.json for "hono" version

Verify Fix Applied:

Verify Hono version is 4.9.6 or later in package.json and test that protected endpoints cannot be accessed via crafted URLs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access to protected endpoints like /admin
  • HTTP requests with malformed absolute-form URLs

Network Indicators:

  • HTTP requests containing crafted absolute-form Request-URIs

SIEM Query:

http.url contains "/admin" AND NOT user.role="admin" OR http.request_uri matches abnormal patterns

📊 Metadata

CVE ID: CVE-2025-58362
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-706
EPSS Score: 0.05% exploit probability (13.6th percentile)
Published: September 5, 2025
Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58362, you might also want to check these:

CVE-2021-40539 9.8

This vulnerability allows attackers to bypass authentication in Zoho ManageEngine ADSelfService Plus...

Same vulnerability type (CWE-706)
CVE-2024-35198 9.8

This vulnerability in TorchServe allows attackers to bypass URL validation checks by using directory...

Same vulnerability type (CWE-706)
CVE-2023-31814 9.8

This CVE describes a file inclusion vulnerability in D-Link DIR-300 routers that allows attackers to...

Same vulnerability type (CWE-706)