CVE-2026-47674
IPv6 Bypass in Hono IP-Restriction Middleware
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1289 | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. |
| CWE-185 | The product specifies a regular expression in a way that causes data to be improperly matched or compared. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the ip-restriction middleware of the Hono web application framework prior to version 4.12.21. This middleware compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. However, non-canonical IPv6 representations of an IP addressβsuch as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addressesβthat are already listed in a static rule do not match the normalized rule entry. As a result, the rule is silently skipped, potentially allowing unauthorized IP addresses to bypass restrictions.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized IP addresses to bypass IP-based access control rules because the middleware fails to correctly match non-canonical IPv6 address formats against configured rules. This could lead to unauthorized access or actions that should have been blocked by the IP restrictions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Hono framework to version 4.12.21 or later, where the ip-restriction middleware correctly normalizes and compares IP addresses to prevent bypasses.