Skip to main content

Node.js CVE-2026-39409

| EUVDEUVD-2026-20497 MEDIUM
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2026-04-08 https://github.com/honojs/hono GHSA-xpcf-pg52-r92g
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 00:30 euvd
EUVD-2026-20497
Analysis Generated
Apr 08, 2026 - 00:30 vuln.today
Patch released
Apr 08, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:17 nvd
MEDIUM 6.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 64 npm packages depend on hono (48 direct, 16 indirect)

Ecosystem-wide dependent count for version 4.12.12.

DescriptionGitHub Advisory

Summary

ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.

Details

The middleware classifies client addresses based on their textual form. Addresses containing ":" are treated as IPv6, including IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.

As a result:

  • IPv4 static rules (e.g. 127.0.0.1) do not match because the raw string differs
  • IPv4 CIDR rules (e.g. 127.0.0.0/8, 10.0.0.0/8) are skipped because the address is treated as IPv6

For example, with:

denyList: ['127.0.0.1']

a request from 127.0.0.1 may be represented as ::ffff:127.0.0.1 and bypass the deny rule.

This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.

Impact

Applications that rely on IPv4-based ipRestriction() rules may incorrectly allow or deny requests.

In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.

AnalysisAI

IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.

Technical ContextAI

The Hono web framework middleware implements IP-based access control through the ipRestriction() function, which classifies client addresses based on textual representation rather than canonical form. IPv4-mapped IPv6 addresses (RFC 4291 notation ::ffff:x.x.x.x) are syntactically valid representations of IPv4 addresses that Node.js dual-stack servers commonly produce when receiving IPv4 connections over IPv6-capable interfaces. The vulnerability stems from the address classification logic treating any address containing colons as IPv6, bypassing IPv4 CIDR matching logic entirely. The root cause falls under CWE-180 (Incorrect Handling of Unusual Byte Sequences), as the middleware fails to normalize semantically equivalent but syntactically different representations of the same address before applying security rules. This is particularly relevant in Node.js environments where the net module automatically converts IPv4 connections to IPv4-mapped IPv6 format when the server listens on IPv6 addresses.

RemediationAI

Upgrade Hono to version 4.12.12 or later, which includes the fix commit 48fa2233bc092f650119f42df043050737cabf39 implementing IPv4-mapped IPv6 address canonicalization in the ipRestriction() middleware. For affected applications, verify dependency lock files (package-lock.json, yarn.lock, pnpm-lock.yaml) and run npm update or equivalent package manager command to obtain the patched version. Organizations unable to upgrade immediately should audit ipRestriction() configurations to identify IPv4-based rules, review alternative authentication/authorization mechanisms that do not rely solely on IP classification, and consider implementing address canonicalization in application-level middleware as a temporary compensating control. See GitHub advisory GHSA-xpcf-pg52-r92g and release notes at https://github.com/honojs/hono/releases/tag/v4.12.12 for additional guidance.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy