Overview
The Common Vulnerabilities and Exposures system has recently identified a flaw in the Hono Web application framework. This particular vulnerability, dubbed CVE-2025-58362, impacts versions 4.8.0 through 4.9.5 of the framework and can potentially allow bypass of proxy-level Access Control Lists (ACLs), such as Nginx location blocks, thus potentially compromising the system or leading to data leakage.
Vulnerability Summary
CVE ID: CVE-2025-58362
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise and data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
Hono Web Application Framework | 4.8.0 to 4.9.5
How the Exploit Works
The vulnerability resides in the getPath utility function of Hono’s Web application framework. It functions on the basis of fixed character offsets when parsing request URLs. Under certain conditions involving malformed absolute-form Request-URIs, incorrect path extraction might occur. This could potentially allow an attacker to bypass proxy ACLs that protect sensitive endpoints such as /admin, leading to unauthorized access to these endpoints.
Conceptual Example Code
The following example demonstrates a hypothetical request that could potentially exploit this vulnerability:
GET http://target.example.com/%2F..%2Fadmin HTTP/1.1
Host: target.example.comIn this example, a malformed Request-URI is used to potentially bypass the ACL protecting the /admin endpoint, thereby granting unauthorized access to it.