CVE-2026-47674
Analyzed Analyzed - Analysis Complete
IPv6 Bypass in Hono IP-Restriction Middleware

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule β€” such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses β€” do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47674
EUVD
EUVD-2026-32926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1289 The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the ip-restriction middleware of the Hono web application framework prior to version 4.12.21. This middleware compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. However, non-canonical IPv6 representations of an IP addressβ€”such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addressesβ€”that are already listed in a static rule do not match the normalized rule entry. As a result, the rule is silently skipped, potentially allowing unauthorized IP addresses to bypass restrictions.

Detection Guidance

Detection of this vulnerability involves identifying whether the Hono framework's ip-restriction middleware is in use and if it is a vulnerable version prior to 4.12.21.

Since the vulnerability arises from the bypass of static deny rules due to non-canonical IPv6 address representations, detection can focus on monitoring access logs for IP addresses that appear in non-canonical forms (such as compressed IPv6, explicit-zero forms, or hex-notation IPv4-mapped addresses) that should have been denied.

Commands to assist detection might include:

  • Review application or proxy logs for IP addresses in non-canonical IPv6 formats that correspond to denied IPs.
  • Use grep or similar tools to search logs for IPv6 addresses in compressed or unusual formats.
  • Example command to find compressed IPv6 addresses in logs: `grep -E '([0-9a-fA-F]{1,4}:){1,7}:?[0-9a-fA-F]{0,4}' /path/to/access.log`
  • Check the version of the Hono framework in use to confirm if it is older than 4.12.21, for example by inspecting package.json or equivalent dependency files.

Note that no specific detection commands are provided in the available resources, so these suggestions are based on the nature of the vulnerability and typical log inspection techniques.

Impact Analysis

This vulnerability can allow unauthorized IP addresses to bypass IP-based access control rules because the middleware fails to correctly match non-canonical IPv6 address formats against configured rules. This could lead to unauthorized access or actions that should have been blocked by the IP restrictions.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Hono framework to version 4.12.21 or later, where the ip-restriction middleware correctly normalizes and compares IP addresses to prevent bypasses.

Compliance Impact

The vulnerability in the hono/ip-restriction middleware allows bypass of static deny rules for non-canonical IPv6 addresses, which can lead to unauthorized access by circumventing IP-based access controls.

Such unauthorized access risks could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls to protect sensitive data and ensure privacy.

If an application relies on the vulnerable middleware for IP-based access restrictions to protect personal or sensitive information, this vulnerability could lead to non-compliance by allowing unauthorized entities to access protected resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart