CVE-2026-39409
Improper IP Address Canonicalization in Hono ipRestriction Causes Authorization Bypass
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | to 4.12.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-180 | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the hono web application framework affects the ipRestriction() middleware function prior to version 4.12.12. It occurs because the function does not properly canonicalize IPv4-mapped IPv6 client addresses (such as ::ffff:127.0.0.1) before applying IPv4 allow or deny rules.
In environments like Node.js dual-stack, IPv4 clients can appear as IPv4-mapped IPv6 addresses. The middleware treats any address containing a colon as IPv6 and does not convert these mapped addresses back to their IPv4 form. As a result, IPv4 rules fail to match these addresses correctly.
This means that IPv4 static rules (e.g., blocking 127.0.0.1) do not block clients whose IP is represented as ::ffff:127.0.0.1, potentially allowing unauthorized access. Similarly, IPv4 CIDR rules are skipped for these addresses, causing unintended authorization behavior.
How can this vulnerability impact me? :
This vulnerability can lead to incorrect enforcement of IP-based access controls in applications using the hono framework's ipRestriction() middleware. Specifically, IPv4 allow or deny rules may not apply correctly to IPv4-mapped IPv6 client addresses.
- Clients that should be denied access based on IPv4 deny lists might bypass restrictions if their IP is represented as an IPv4-mapped IPv6 address.
- Conversely, legitimate clients might be incorrectly denied access if IPv4 allow lists fail to recognize their IPv4-mapped IPv6 addresses.
Overall, this can result in unauthorized access or denial of service to legitimate users, undermining the security posture of applications relying on IP-based restrictions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your application using the hono framework is improperly handling IPv4-mapped IPv6 addresses in its ipRestriction() middleware. Specifically, if IPv4 allow or deny rules fail to match client IP addresses that appear in the IPv4-mapped IPv6 format (e.g., ::ffff:127.0.0.1), your system may be vulnerable.
To detect this on your system, you can monitor logs or network traffic for client IP addresses represented as IPv4-mapped IPv6 addresses and verify if the ipRestriction() rules are applied correctly to these addresses.
Suggested commands include inspecting network connections or logs for IPv4-mapped IPv6 addresses. For example, on a Linux system, you can use:
- netstat -tn | grep '::ffff:'
- ss -tn | grep '::ffff:'
- grep '::ffff:' /path/to/application/logs
Additionally, reviewing the version of the hono package used in your application to confirm if it is prior to 4.12.12 can help identify if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the hono package to version 4.12.12 or later, where the issue with canonicalization of IPv4-mapped IPv6 addresses in the ipRestriction() middleware has been fixed.
This update properly normalizes IPv4-mapped IPv6 addresses before applying IP restriction rules, preventing bypasses or mismatches.
If upgrading immediately is not possible, consider reviewing and adjusting your IP restriction rules to explicitly handle IPv4-mapped IPv6 addresses or implement additional network-level filtering to block unauthorized IPv4-mapped IPv6 addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in the ipRestriction() middleware of the hono framework can lead to unintended authorization behavior by failing to correctly match IPv4-mapped IPv6 addresses against IPv4 allow or deny rules.
As a result, unauthorized clients might bypass IP-based access restrictions, potentially exposing sensitive data or services to unauthorized parties.
Such unauthorized access could impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls to protect personal or sensitive information.
Therefore, this vulnerability may increase the risk of non-compliance due to improper enforcement of access restrictions.