PatchSiren cyber security CVE debrief
CVE-2026-47674 honojs CVE debrief
## Summary Hono's ip-restriction middleware (prior to 4.12.21) fails to canonicalize IPv6 addresses before comparing them against static allow/deny rules. An attacker can bypass IP-based access controls by presenting the same address in a non-canonical form (compressed notation, explicit zero groups, or IPv4-mapped hex notation) that does not match the normalized rule entry. ## Technical Analysis The vulnerability resides in the `hono/ip-restriction` middleware's string-based comparison logic. After partial normalization, the middleware performs direct string equality checks between incoming IP addresses and configured rules. IPv6 addresses permit multiple valid textual representations of the same logical address: - **Compressed forms**: `2001:db8::1` vs `2001:0db8:0000:0000:0000:0000:0000:0001` - **Explicit-zero forms**: Mixed usage of `::` compression with zero groups - **IPv4-mapped addresses**: `::ffff:192.0.2.1` vs `::ffff:c000:0201` When an administrator configures a rule using one representation, requests using alternative canonical forms bypass the restriction entirely. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with integrity impact limited to access control bypass. ## Affected Versions - Hono: prior to 4.12.21 ## Fixed Versions - Hono: 4.12.21 and later ## Recommended Actions 1. **Upgrade immediately** to Hono 4.12.21 or later, which implements proper IPv6 canonicalization before rule comparison. 2. **Verify middleware configuration** if immediate patching is not feasible. Review ip-restriction rules for IPv6 entries and consider whether alternative representations of the same addresses could exist in your threat model. 3. **Implement defense-in-depth** at the infrastructure layer (load balancers, WAFs, or reverse proxies) to enforce IP restrictions independently of application-level middleware until patching is complete. 4. **Audit access logs** for requests from unexpected IPv6 source addresses that may indicate bypass attempts. ## References - CVE Record: CVE-2026-47674 - NVD Detail: CVE-2026-47674 NVD detail - Git
- Vendor
- honojs
- Product
- hono
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using Hono's ip-restriction middleware with IPv6 allowlist or denylist rules; security teams responsible for application-layer access controls in JavaScript/TypeScript deployments.
Technical summary
The ip-restriction middleware in Hono versions prior to 4.12.21 performs string equality comparisons on IPv6 addresses after only partial normalization. Non-canonical IPv6 representations (compressed forms, explicit-zero notation, hex-format IPv4-mapped addresses) fail to match rule entries, enabling unauthorized access to protected resources.
Defensive priority
medium
Recommended defensive actions
- Upgrade to Hono 4.12.21 or later
- Verify ip-restriction middleware configuration for IPv6 rule completeness
- Implement infrastructure-layer IP restrictions as defense-in-depth
- Audit access logs for anomalous IPv6 source addresses
Evidence notes
Vulnerability description and fix version derived from official CVE record and GitHub Security Advisory. CVSS vector and CWE classifications (CWE-185: Incorrect Regular Expression, CWE-1289: Improper Validation of Unsafe Equivalence in Input) sourced from NVD enrichment data.
Official resources
-
CVE-2026-47674 CVE record
CVE.org
-
CVE-2026-47674 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28