Skip to main content

Hono CVE-2026-47674

| EUVDEUVD-2026-32926 MEDIUM
Incorrect Regular Expression (CWE-185)
2026-05-28 GitHub_M GHSA-xrhx-7g5j-rcj5
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 18:02 EUVD
Analysis Generated
May 28, 2026 - 17:25 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on hono (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.12.21.

DescriptionGitHub Advisory

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule - such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses - do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.

AnalysisAI

IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthenticated remote attackers to circumvent configured deny and allow rules by submitting non-canonical IPv6 representations of restricted addresses. String equality comparison applied after only partial normalization means that compressed, explicit-zero, or hex-notation IPv4-mapped IPv6 forms of a listed address silently fail to match the normalized rule entry, causing enforcement to be skipped entirely. No public exploit has been identified at time of analysis, but the bypass requires only trivial reformatting of a standard IPv6 address, making it practically low-effort for any attacker aware of the flaw.

Technical ContextAI

Hono is a lightweight Web application framework supporting all major JavaScript runtimes including Cloudflare Workers, Deno, Bun, and Node.js. Its hono/ip-restriction middleware evaluates incoming client IP addresses against configured allow/deny rule sets using string equality after partial normalization. IPv6 has numerous canonically equivalent representations: compressed forms (e.g., ::1 vs 0:0:0:0:0:0:0:1), explicit-zero forms, and IPv4-mapped addresses in hex notation (e.g., ::ffff:c0a8:0101 vs ::ffff:192.168.1.1). Because the middleware's normalization was incomplete, these alternate forms did not match normalized rule entries stored internally, creating a systematic bypass class. CWE-185 (Incorrect Regular Expression) broadly covers flawed pattern or string-matching logic; in this case the root cause is that the comparison logic lacked a full canonicalization step over the IPv6 address space before comparison. The affected CPE is cpe:2.3:a:honojs:hono:*:*:*:*:*:*:*:* covering all Hono versions prior to 4.12.21.

RemediationAI

Upgrade Hono to version 4.12.21 or later, which resolves the incomplete IPv6 normalization in the ip-restriction middleware; this is the vendor-released patch confirmed by the GitHub security advisory at https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5. If an immediate upgrade is not feasible, implement IP restriction at the infrastructure layer - such as a reverse proxy (nginx, Caddy), CDN edge rules, or host-based firewall - rather than relying solely on the application-level middleware, as infrastructure-layer controls typically perform full canonicalization and eliminate the normalization gap entirely. As a partial interim measure, ensure all configured deny and allow rule entries use fully expanded canonical IPv6 notation, which reduces (but does not eliminate) the attack surface since the application still does not normalize incoming addresses before comparison. Do not treat the application-level hono/ip-restriction middleware as a reliable security boundary in isolation until the upgrade to 4.12.21 is applied.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-47674 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy