5.3
CVE-2026-47674
- EPSS 0.24%
- Veröffentlicht 28.05.2026 15:29:08
- Zuletzt bearbeitet 29.05.2026 16:57:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.153 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-1289 Improper Validation of Unsafe Equivalence in Input
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
CWE-185 Incorrect Regular Expression
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5