Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 64 npm packages depend on hono (48 direct, 16 indirect)
Ecosystem-wide dependent count for version 4.12.12.
DescriptionGitHub Advisory
Summary
ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.
Details
The middleware classifies client addresses based on their textual form. Addresses containing ":" are treated as IPv6, including IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.
As a result:
- IPv4 static rules (e.g.
127.0.0.1) do not match because the raw string differs - IPv4 CIDR rules (e.g.
127.0.0.0/8,10.0.0.0/8) are skipped because the address is treated as IPv6
For example, with:
denyList: ['127.0.0.1']
a request from 127.0.0.1 may be represented as ::ffff:127.0.0.1 and bypass the deny rule.
This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.
Impact
Applications that rely on IPv4-based ipRestriction() rules may incorrectly allow or deny requests.
In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.
AnalysisAI
IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.
Technical ContextAI
The Hono web framework middleware implements IP-based access control through the ipRestriction() function, which classifies client addresses based on textual representation rather than canonical form. IPv4-mapped IPv6 addresses (RFC 4291 notation ::ffff:x.x.x.x) are syntactically valid representations of IPv4 addresses that Node.js dual-stack servers commonly produce when receiving IPv4 connections over IPv6-capable interfaces. The vulnerability stems from the address classification logic treating any address containing colons as IPv6, bypassing IPv4 CIDR matching logic entirely. The root cause falls under CWE-180 (Incorrect Handling of Unusual Byte Sequences), as the middleware fails to normalize semantically equivalent but syntactically different representations of the same address before applying security rules. This is particularly relevant in Node.js environments where the net module automatically converts IPv4 connections to IPv4-mapped IPv6 format when the server listens on IPv6 addresses.
RemediationAI
Upgrade Hono to version 4.12.12 or later, which includes the fix commit 48fa2233bc092f650119f42df043050737cabf39 implementing IPv4-mapped IPv6 address canonicalization in the ipRestriction() middleware. For affected applications, verify dependency lock files (package-lock.json, yarn.lock, pnpm-lock.yaml) and run npm update or equivalent package manager command to obtain the patched version. Organizations unable to upgrade immediately should audit ipRestriction() configurations to identify IPv4-based rules, review alternative authentication/authorization mechanisms that do not rely solely on IP classification, and consider implementing address canonicalization in application-level middleware as a temporary compensating control. See GitHub advisory GHSA-xpcf-pg52-r92g and release notes at https://github.com/honojs/hono/releases/tag/v4.12.12 for additional guidance.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20497
GHSA-xpcf-pg52-r92g