CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...

CVE-2026-30827

CVE-2026-30827 affects express-rate-limit for Express. The default keyGenerator mishandles IPv4 when the system treats IPv4 addresses as IPv6 mapped (IPv4-mapped IPv6 addresses like ::ffff:x.x.x.x). On dual-stack servers, this causes a /56 subnet mask to be applied to all IPv6 addresses, making a...

CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...

GHSA-46WH-PXPV-Q5GQ express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

Summary The default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. This includes IPv4-mapped IPv6 addresses ::ffff:x.x.x.x, which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all...