CVE-2026-30827
Received Received - Intake
Rate Limiting Bypass in express-rate-limit Causes IPv4 Traffic Collapse

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30827
EUVD
EUVD-2026-10113
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
express-rate-limit_project express-rate-limit From 8.0.0 (inc) to 8.0.2 (exc)
express-rate-limit_project express-rate-limit From 8.2.0 (inc) to 8.2.2 (exc)
express-rate-limit_project express-rate-limit 8.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30827 is a vulnerability in the express-rate-limit npm package versions 8.0.0 through 8.2.1. The issue arises because the default keyGenerator function incorrectly handles IPv4-mapped IPv6 addresses on servers that support both IPv4 and IPv6 (dual-stack servers).

Specifically, the keyGenerator applies an IPv6 subnet mask (/56 by default) to all IP addresses identified as IPv6 by Node.js’s net.isIPv6() function. This includes IPv4-mapped IPv6 addresses, which are IPv4 addresses represented in IPv6 format (e.g., ::ffff:x.x.x.x). Because the first 80 bits of these IPv4-mapped IPv6 addresses are zero, applying the /56 subnet mask results in the same network key (::/56) for all IPv4 clients.

As a result, all IPv4 traffic is grouped into a single rate-limit bucket. This means if one IPv4 client exhausts the rate limit, all other IPv4 clients are blocked and receive HTTP 429 (Too Many Requests) errors, effectively causing a denial of service for all IPv4 users.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition for all IPv4 clients accessing an Express server using the vulnerable express-rate-limit versions. Because all IPv4 clients share the same rate-limit bucket, if one client exceeds the allowed number of requests, all other IPv4 clients will be blocked and receive HTTP 429 errors.

This means legitimate users may be unable to access services, leading to service disruption and degraded availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing if multiple IPv4 clients are being rate limited together, resulting in HTTP 429 errors for all IPv4 users when only one client exhausts the limit. On dual-stack servers, the request.ip value for IPv4 clients will appear as IPv4-mapped IPv6 addresses (e.g., ::ffff:x.x.x.x).

To detect this, you can check the IP addresses logged by your Express server to see if IPv4 clients are represented as IPv4-mapped IPv6 addresses. Additionally, monitoring for excessive HTTP 429 responses affecting all IPv4 clients simultaneously can indicate the issue.

There are no specific commands provided in the resources, but you can use network monitoring or logging tools to inspect request IPs and rate limiting behavior. For example, you might use commands like:

  • Check server logs for request IPs in the format ::ffff:x.x.x.x
  • Use tools like tcpdump or Wireshark to capture traffic and verify IP address formats
  • Monitor HTTP 429 response rates to identify if many IPv4 clients are being blocked simultaneously
Mitigation Strategies

The immediate mitigation step is to upgrade the express-rate-limit package to a fixed version. The vulnerability is patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.

If upgrading immediately is not possible, consider implementing a custom keyGenerator function that correctly handles IPv4-mapped IPv6 addresses by extracting the IPv4 address in dotted-decimal notation instead of applying an IPv6 subnet mask.

This prevents all IPv4 clients from being collapsed into a single rate-limit bucket and avoids denial of service caused by one client exhausting the limit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart