4 matches found
CVE-2026-39409
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...
CVE-2026-39409
CVE-2026-39409 affects the Hono web application framework. The vulnerability lies in ipRestriction() not canonicalizing IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow/deny rules, which can cause IPv4 rules to fail to match in dual-stack environments (e.g., Node.js)....
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Summary ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. Details The middlewar...
Incorrect Behavior Order: Validate Before Canonicalize
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which...