Hono Path Confusion Vulnerability Allowing Proxy ACL Bypass

A path confusion vulnerability has been identified in the Hono web application framework, specifically in versions 4.8.0 prior to 4.9.6. The issue arises in the 'getPath' utility function, where fixed character offsets were used to parse request URLs. This can lead to incorrect path extraction, particularly under certain malformed absolute-form Request-URIs. As a result, the vulnerability could allow bypassing proxy-level Access Control Lists (ACLs), such as Nginx location blocks, potentially leading to unauthorized access to sensitive endpoints like '/admin'. The impact on confidentiality varies depending on the exposed data, with a possibility of high impact if sensitive administrative information is revealed.

Impact

Exploitation of this vulnerability could have allowed unauthorized access to sensitive endpoints protected by proxy ACLs, such as '/admin', leading to exposure of confidential administrative data.

Reproduction

The vulnerability can be reproduced by sending malformed absolute-form Request-URIs to a Hono application running in a JavaScript runtime. This can be done through a reverse proxy like Nginx that uses location blocks to control access to certain endpoints. The 'getPath' utility function will incorrectly parse the request URL, causing path confusion and bypassing the proxy ACLs.

Remediation

Users are advised to update to Hono version 4.9.6, where this vulnerability has been fixed.