Moderate severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026
Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
CVE-2026-24398
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.11.7 | 4.11.7 |
Affected products
1Patches
12 files changed · +16 −1
src/utils/ipaddr.test.ts+14 −0 modified@@ -28,6 +28,20 @@ describe('distinctRemoteAddr', () => { expect(distinctRemoteAddr('example.com')).toBeUndefined() }) + + it('Should reject invalid IPv4 addresses with octets > 255', () => { + expect(distinctRemoteAddr('1.2.3.256')).toBeUndefined() + expect(distinctRemoteAddr('1.2.3.999')).toBeUndefined() + expect(distinctRemoteAddr('1.2.2.355')).toBeUndefined() + expect(distinctRemoteAddr('256.0.0.1')).toBeUndefined() + expect(distinctRemoteAddr('999.999.999.999')).toBeUndefined() + }) + + it('Should accept valid IPv4 edge cases', () => { + expect(distinctRemoteAddr('0.0.0.0')).toBe('IPv4') + expect(distinctRemoteAddr('255.255.255.255')).toBe('IPv4') + expect(distinctRemoteAddr('1.2.3.4')).toBe('IPv4') + }) }) describe('convertIPv4ToBinary', () => {
src/utils/ipaddr.ts+2 −1 modified@@ -33,7 +33,8 @@ export const expandIPv6 = (ipV6: string): string => { return sections.join(':') } -const IPV4_REGEX = /^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/ +const IPV4_OCTET_PART = '(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])' +const IPV4_REGEX = new RegExp(`^(?:${IPV4_OCTET_PART}\\.){3}${IPV4_OCTET_PART}$`) /** * Distinct Remote Addr
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r354-f388-2fhhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24398ghsaADVISORY
- github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37ghsax_refsource_MISCWEB
- github.com/honojs/hono/releases/tag/v4.11.7ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.