16 matches found
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
Summary The HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocket login path — sending login: username, password messages over an established WebSocket...
CVE-2026-30827
A flaw was found in express-rate-limit. The default key generator incorrectly applies IPv6 subnet masking to IPv4-mapped IPv6 addresses, which are used when an IPv4 client connects to a dual-stack server. This misconfiguration causes all IPv4 traffic to be treated as a single entity for rate...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
express-rate-limit 安全漏洞
Express-Rate-Limit is a request frequency limiting middleware developed by Express Rate Limit. Versions prior to 8.0.0, 8.1.1, 8.2.2, and 8.3.0 of Express-Rate-Limit have security vulnerabilities. These vulnerabilities stem from the improper application of subnet masks by the default key generato...
Allocation of Resources Without Limits or Throttling
Overview express-rate-limit is a Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ipKeyGenerator...
@chrisleekr/mcp-server-playground (>=1.1.0-dev-1d08adb.1 <=1.1.0-dev-ff904e8.1) potentially affected by CVE-2026-30827 via express-rate-limit (=8.0.1)
express-rate-limit NPM version =8.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0-dev-1d08adb.1, =1.1.0-dev-ff904e8.1 Source cves: CVE-2026-30827 Source advisory:...
@chrisleekr/mcp-server-playground (>=1.1.0 <=1.1.2-dev-ed23132.1), @intlayer/backend (>=7.0.9-canary.2 <=7.5.9) +29 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.2.1)
express-rate-limit NPM version =8.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0, =7.0.9-canary.2, =1.597.450, =4.0.0, =3.1.0, =0.0.1-canary.1, =0.42.0, =0.20.0,...
@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
@chrisleekr/mcp-server-playground (>=1.1.0 <=1.1.2-dev-ed23132.1), @intlayer/backend (>=7.0.9-canary.2 <=7.5.9) +29 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.2.1)
express-rate-limit NPM version =8.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0, =7.0.9-canary.2, =1.597.450, =4.0.0, =3.1.0, =0.0.1-canary.1, =0.42.0, =0.20.0,...
@chrisleekr/mcp-server-playground (>=1.1.0-dev-1d08adb.1 <=1.1.0-dev-ff904e8.1) potentially affected by CVE-2026-30827 via express-rate-limit (=8.0.1)
express-rate-limit NPM version =8.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0-dev-1d08adb.1, =1.1.0-dev-ff904e8.1 Source cves: CVE-2026-30827 Source advisory:...
GHSA-46WH-PXPV-Q5GQ express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
Summary The default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. This includes IPv4-mapped IPv6 addresses ::ffff:x.x.x.x, which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all...
PT-2026-23791
Name of the Vulnerable Software and Affected Versions express-rate-limit versions 8.0.0 through 8.0.1 express-rate-limit versions 8.1.0 through 8.1.1 express-rate-limit versions 8.2.0 through 8.2.1 Description The default keyGenerator in express-rate-limit incorrectly applies IPv6 subnet masking ...