CVE-2026-27700
IP Bypass via X-Forwarded-For in Hono AWS Lambda Adapter
Publication date: 2026-02-25
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | From 4.12.0 (inc) to 4.12.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Hono versions 4.12.0 and 4.12.1 involves incorrect handling of the X-Forwarded-For HTTP header when using the AWS Lambda adapter behind an AWS Application Load Balancer (ALB). The getConnInfo() function mistakenly selects the first IP address from the X-Forwarded-For header as the client IP. However, AWS ALB appends the real client IP address to the end of this header, meaning the first IP can be controlled by an attacker.
Because of this, an attacker can spoof their IP address by inserting a fake IP at the start of the header, causing IP-based access control mechanisms (like the ipRestriction middleware) to be bypassed. This allows unauthorized access based on IP restrictions.
The issue was fixed in version 4.12.2 by changing the logic to extract the last IP address from the X-Forwarded-For header, which correctly identifies the real client IP appended by the ALB.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated remote attacker to bypass IP-based access controls by spoofing the X-Forwarded-For header. As a result, attackers can gain unauthorized access to resources or services that rely on IP restrictions for security.
Specifically, if your application uses the Hono AWS Lambda adapter behind an AWS ALB and employs IP-based restrictions (such as the ipRestriction middleware or custom authorization relying on client IP), these protections can be circumvented.
The severity of this vulnerability is high, with a CVSS v3.1 score of 8.2, indicating a significant risk of confidentiality breach and integrity impact without requiring any privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the incorrect extraction of the client IP address from the X-Forwarded-For header when using the Hono AWS Lambda adapter behind an AWS Application Load Balancer (ALB). To detect if your system is vulnerable, you can inspect the X-Forwarded-For headers in incoming requests to see if the first IP address is attacker-controlled or spoofed.'}, {'type': 'paragraph', 'content': 'You can monitor logs or capture network traffic to check the X-Forwarded-For header values and verify whether the IP used for access control matches the last IP in the header (the real client IP appended by ALB) or the first IP (which could be spoofed).'}, {'type': 'paragraph', 'content': 'Suggested commands include using tools like curl or tcpdump to inspect headers and network traffic:'}, {'type': 'list_item', 'content': 'Use curl to send requests with custom X-Forwarded-For headers and observe server behavior: curl -H "X-Forwarded-For: spoofed-ip" https://your-application'}, {'type': 'list_item', 'content': "Use tcpdump or similar packet capture tools to capture HTTP headers and analyze X-Forwarded-For values: sudo tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-For"}, {'type': 'list_item', 'content': 'Check application logs for IP addresses used in access control decisions and verify if they correspond to the last IP in the X-Forwarded-For header rather than the first.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the Hono framework to version 4.12.2 or later, where the vulnerability has been fixed.
The fix changes the logic in the AWS Lambda adapter to correctly extract the client IP address from the last value in the X-Forwarded-For header instead of the first, preventing IP spoofing and bypass of IP-based access controls.
If upgrading immediately is not possible, consider implementing additional validation on the X-Forwarded-For header or restricting access through other means until the patch can be applied.