Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
RSS Feed
MODERATE
GHSA-xpcf-pg52-r92g
CVE-2026-39409
Description:
Summary
ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.
Details
The middleware classifies client addresses based on their textual form. Addresses containing ":" are treated as IPv6, including IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.
As a result:
- IPv4 static rules (e.g.
127.0.0.1) do not match because the raw string differs - IPv4 CIDR rules (e.g.
127.0.0.0/8,10.0.0.0/8) are skipped because the address is treated as IPv6
For example, with:
denyList: ['127.0.0.1']
a request from 127.0.0.1 may be represented as ::ffff:127.0.0.1 and bypass the deny rule.
This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.
Impact
Applications that rely on IPv4-based ipRestriction() rules may incorrectly allow or deny requests.
In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
hono
|
< 4.12.12 |
4.12.12
|
deps(deps): bump the security-patches group across 4 directories with 2 updates
Open 14 days ago
VeVarunSharma/contoso-vibe-engineering #303
npm:drizzle-orm
npm:hono
chore(deps): bump the npm_and_yarn group across 11 directories with 24 updates
Open 15 days ago
GlacierEQ/langgraphjs #6
npm:axios
npm:vite
+20 more
deps(deps): bump the security-patches group across 4 directories with 2 updates
Closed 15 days ago
VeVarunSharma/contoso-vibe-engineering #296
npm:drizzle-orm
npm:hono
build(deps): Bump the npm_and_yarn group across 1 directory with 15 updates
Closed 15 days ago
you112ef/knet-mock-pay-06 #17
npm:react-router
npm:vite
+12 more
chore(deps): bump the npm_and_yarn group across 5 directories with 23 updates
Closed 15 days ago
nssuwan186-dev/ag-ui #35
npm:next
npm:uuid
+4 more
chore(deps): bump the npm_and_yarn group across 24 directories with 5 updates
Open 16 days ago
jadenblack/composio #101
npm:axios
npm:uuid
+2 more
Bump the npm_and_yarn group across 5 directories with 7 updates
Open 16 days ago
rshan1515/workers-sdk #19
npm:vite
npm:undici
+5 more
Bump the npm_and_yarn group across 4 directories with 9 updates
Closed 16 days ago
ANT0071/drizzle-orm #6
npm:rollup
npm:uuid
+4 more
build(deps): bump the npm_and_yarn group across 2 directories with 5 updates
Open 16 days ago
tsukasa-u/FUSOU #177
npm:astro
npm:vite
+3 more
chore(deps): bump the npm_and_yarn group across 9 directories with 8 updates
Closed 16 days ago
bluluvinn/x402 #16
npm:axios
npm:vite
+5 more
chore(deps): Bump the npm_and_yarn group across 4 directories with 5 updates
Closed 17 days ago
ds1/pincerpay #110
npm:next
npm:yaml
+3 more
Bump the npm_and_yarn group across 4 directories with 7 updates
Open 17 days ago
rshan1515/workers-sdk #18
npm:vite
npm:undici
+5 more
chore(deps): bump the npm_and_yarn group across 15 directories with 10 updates
Closed 18 days ago
ANT0071/mastra #97
npm:axios
npm:next
+6 more
chore(deps): bump the npm_and_yarn group across 15 directories with 9 updates
Closed 18 days ago
xendit/mastra #101
npm:axios
npm:next
+5 more
Bump the npm_and_yarn group across 19 directories with 5 updates
Open 19 days ago
cloudflare/ai #520
npm:axios
npm:postcss
+3 more
Bump the npm_and_yarn group across 1 directory with 5 updates
Closed 20 days ago
canstralian/workers-for-platforms-template #1
npm:undici
npm:esbuild
+2 more
build(deps): bump hono from 4.12.9 to 4.12.15 in /server
Open 20 days ago
OuroborosCollective/Wasd #380
npm:hono
Bump the npm_and_yarn group across 18 directories with 4 updates
Open 20 days ago
cloudflare/ai #514
npm:axios
npm:postcss
+2 more
build(deps): bump the minor-and-patch group across 1 directory with 7 updates
Closed 20 days ago
jfilter/timetiles #117
npm:vitest
npm:@types/node
+5 more
Bump hono from 4.6.0 to 4.12.15 in /backend
Closed 21 days ago
Teddynews/teddyfon-cleaner #26
npm:hono
deps: bump hono from 4.12.10 to 4.12.15
Open 21 days ago
tropicans/codmulti #12
npm:hono
chore(deps): bump the all-minor-and-patch group across 1 directory with 26 updates
Open 21 days ago
TiM1113/FoodDelivery-AWS-Vercell #133
npm:vitest
npm:@vitest/coverage-v8
+24 more
deps(deps): bump the security-patches group across 3 directories with 2 updates
Open 21 days ago
VeVarunSharma/contoso-vibe-engineering #279
npm:drizzle-orm
npm:hono
chore(deps): bump the minor-and-patch group across 1 directory with 25 updates
Closed 21 days ago
mustafaersoyer/konnekt-crm #17
npm:eslint
npm:react-dom
+23 more
chore(deps): bump the production group across 1 directory with 12 updates
Open 21 days ago
SuperstellarLLC/n3rd-ai-ui #22
npm:vitest
npm:@vitest/coverage-v8
+10 more
chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates
Open 21 days ago
fderuiter/wedding_website #250
npm:next
npm:lodash
+1 more
chore(deps): Bump hono from 4.11.4 to 4.12.14
Closed 21 days ago
paveg/tailf #46
npm:hono
chore(deps): bump the dependencies group across 1 directory with 6 updates
Closed 21 days ago
kempsterrrr/ar-io-node-project #104
npm:prettier
npm:turbo
+4 more
build(deps): bump the npm_and_yarn group across 9 directories with 9 updates
Closed 21 days ago
sc-shakyawijerathne/xmcloud-starter-js #77
npm:axios
npm:next
+4 more
chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates
Closed 21 days ago
tenkumogroup/guildkit #71
npm:next
npm:fast-xml-parser
+3 more
Bump hono from 4.12.3 to 4.12.15
Closed 21 days ago
yuzhenmi/taleweaver #142
npm:hono
chore(deps)(deps): bump hono from 4.11.2 to 4.12.15
Open 21 days ago
Phoenixrr2113/agent #120
npm:hono
chore(deps): Bump the npm-non-major group across 1 directory with 8 updates
Open 22 days ago
Jost17/frea #28
npm:tailwindcss
npm:@tailwindcss/cli
+6 more
Bump the npm_and_yarn group across 5 directories with 5 updates
Closed 22 days ago
blackboxprogramming/BlackRoad-OS-Live-Working-Version-Public #2
npm:next
npm:follow-redirects
+3 more
deps(api)(deps): bump hono from 4.11.9 to 4.12.15 in /cloudflare/forgescan-api in the hono group
Open 22 days ago
Bjay0727-jay/Forge-Scan #102
npm:hono
chore(deps): bump the production-dependencies group across 1 directory with 6 updates
Open 22 days ago
bidewio/better-openclaw #43
npm:react-dom
npm:next
+4 more
chore(deps): bump the all-minor-patch group across 1 directory with 23 updates
Open 22 days ago
WuMingDao/zenith-image-generator #94
npm:vitest
npm:react-router-dom
+21 more
chore(deps): Bump hono from 4.6.0 to 4.12.15
Open 22 days ago
amynaff/my-lunar-phase #36
npm:hono
deps: Bump the minor-and-patch group across 1 directory with 12 updates
Open 22 days ago
vinaes/md-succ-ai #13
npm:nanoid
npm:hono
+10 more
chore(deps): bump hono from 4.12.9 to 4.12.15
Open 22 days ago
forbiddenlink/specter #45
npm:hono
Bump the npm_and_yarn group across 1 directory with 5 updates
Open 22 days ago
MatiasPF1/SHPE-Stevens-Chapter #1
npm:next
npm:hono
+3 more
Bump hono from 4.12.9 to 4.12.15
Closed 22 days ago
TheDuffman85/linux-update-dashboard #138
npm:hono
build(deps): bump the npm_and_yarn group across 1 directory with 23 updates
Open 22 days ago
johnnycsv232/GettUppENTERPRISE #9
npm:vite
npm:next
+21 more
chore(deps): bump hono from 4.12.8 to 4.12.15 in /frontend
Closed 22 days ago
haporfirio/cyphron #4
npm:hono
chore(deps): bump hono from 4.12.10 to 4.12.15 in /dashboard
Open 22 days ago
Epigibson/Nexus #14
npm:hono
chore(deps): Bump hono from 4.12.10 to 4.12.15 in /apps/translator/server in the minor-and-patch group across 1 directory
Closed 23 days ago
masserfx/even-realities #19
npm:hono
Bump hono from 4.12.6 to 4.12.15
Open 23 days ago
tmaurie/clean-lap #31
npm:hono
chore(deps): Bump the npm_and_yarn group across 1 directory with 2 updates
Closed 23 days ago
yagudaev/voiceclaw #226
npm:@anthropic-ai/sdk
npm:hono
chore(deps): bump hono from 3.11.8 to 4.12.14 in the npm_and_yarn group across 1 directory
Closed 24 days ago
lmist/markmap #1
npm:hono
Bump the npm_and_yarn group across 1 directory with 12 updates
Open 24 days ago
Dargon789/template-ethereum-contracts #253
npm:axios
npm:yaml
+9 more
Actions
Advisory Details
| Published: | April 08, 2026 about 1 month ago |
| Updated: | May 11, 2026 8 days ago |
| CVSS Score: | 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| EPSS: | 0.01% 2th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS14cGNmLXBnNTItcjkyZ84ABU3o |
PR Statistics
PR Status
Open
592 (44.3%)
Merged
0 (0.0%)
Closed
745 (55.7%)
Update Types
Major
157 (4.8%)
Minor
1290 (39.8%)
Patch
1777 (54.8%)
References
- https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g
- https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39
- https://github.com/honojs/hono/releases/tag/v4.12.12
- https://nvd.nist.gov/vuln/detail/CVE-2026-39409
- https://github.com/advisories/GHSA-xpcf-pg52-r92g