Moderate severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026
Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
CVE-2026-24398
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.11.7 | 4.11.7 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/honopkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/wolfi/langfuse-3-workerpkg:npm/hono
< 0+ 5 more
- (no CPE)range: < 0
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 3.152.0-r0
- (no CPE)range: < 0.8.2-r1
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 4.11.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-r354-f388-2fhhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24398ghsaADVISORY
- github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37ghsax_refsource_MISCWEB
- github.com/honojs/hono/releases/tag/v4.11.7ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.