{"id":"GHSA-xpcf-pg52-r92g","summary":"Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses","details":"## Summary\n\n`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.\n\n## Details\n\nThe middleware classifies client addresses based on their textual form. Addresses containing \"`:`\" are treated as IPv6, including IPv4-mapped IPv6 addresses such as `::ffff:127.0.0.1`. These addresses are not normalized to IPv4 before matching.\n\nAs a result:\n\n* IPv4 static rules (e.g. `127.0.0.1`) do not match because the raw string differs\n* IPv4 CIDR rules (e.g. `127.0.0.0/8`, `10.0.0.0/8`) are skipped because the address is treated as IPv6\n\nFor example, with:\n\n`denyList: ['127.0.0.1']`\n\na request from `127.0.0.1` may be represented as `::ffff:127.0.0.1` and bypass the deny rule.\n\nThis behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.\n\n## Impact\n\nApplications that rely on IPv4-based `ipRestriction()` rules may incorrectly allow or deny requests.\n\nIn affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.","aliases":["CVE-2026-39409"],"modified":"2026-05-05T16:43:09.978906Z","published":"2026-04-08T00:17:14Z","related":["CGA-5mwp-vqrf-gmgh"],"database_specific":{"cwe_ids":["CWE-180"],"github_reviewed":true,"nvd_published_at":"2026-04-08T15:16:14Z","severity":"MODERATE","github_reviewed_at":"2026-04-08T00:17:14Z"},"references":[{"type":"WEB","url":"https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39409"},{"type":"WEB","url":"https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39"},{"type":"PACKAGE","url":"https://github.com/honojs/hono"},{"type":"WEB","url":"https://github.com/honojs/hono/releases/tag/v4.12.12"}],"affected":[{"package":{"name":"hono","ecosystem":"npm","purl":"pkg:npm/hono"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.12.12"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xpcf-pg52-r92g/GHSA-xpcf-pg52-r92g.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}