The Hono framework, prior to version 4.12.21, removes the mount prefix from incoming request paths using the raw URL pathname, while route matching is performed against the percent‑decoded path. When a request contains percent‑encoded multi‑byte characters in the mount prefix, the prefix is stripped at an incorrect position, causing the mounted sub‑application to receive a malformed or unintended path. This inconsistency can lead to logic errors or unintended behavior in the sub‑application, because the handler receives a URL that does not correspond to the intended resource. Based on the description, it is inferred that an attacker can trigger the flaw by sending HTTP requests that contain percent‑encoded multi‑byte characters in the mount path, resulting in incorrect routing.

Deployments of the honojs Hono web framework with versions older than 4.12.21 that use the app.mount() function to mount sub‑applications and that accept percent‑encoded URLs are affected. Any application that relies on Hono for request routing and that includes encoded characters in mount points is vulnerable.

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending HTTP requests that contain percent‑encoded multi‑byte characters in the mount path; the vulnerability resides solely on the server side, so a remote attacker can exploit it without additional privileges. Given the lack of exploitation data, the likely risk is upper‑medium, but the impact is limited to incorrect routing rather than direct data loss or code execution.