Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed. Version 4.12.2 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | >= 4.12.0, < 4.12.2 | 4.12.2 |
Affected products
1Patches
12 files changed · +31 −21
src/adapter/aws-lambda/conninfo.test.ts+28 −19 modified@@ -71,27 +71,36 @@ describe('getConnInfo', () => { }) describe('ALB', () => { - it('Should return the client IP from x-forwarded-for header', () => { - const ip = '192.0.2.50' - const req = new Request('http://localhost/', { - headers: { - 'x-forwarded-for': `${ip}, 10.0.0.1`, - }, - }) - const c = new Context(req, { - env: { - requestContext: { - elb: { - targetGroupArn: 'arn:aws:elasticloadbalancing:...', + it.each([ + { + description: 'ALB appends real client IP', + xff: '10.0.0.1, 192.0.2.50', + expected: '192.0.2.50', + }, + { + description: 'attacker-controlled first IP', + xff: '127.0.0.1, 192.168.1.100', + expected: '192.168.1.100', + }, + ])( + 'Should return the last IP from x-forwarded-for ($description)', + ({ xff, expected }) => { + const req = new Request('http://localhost/', { + headers: { 'x-forwarded-for': xff }, + }) + const c = new Context(req, { + env: { + requestContext: { + elb: { + targetGroupArn: 'arn:aws:elasticloadbalancing:...', + }, }, }, - }, - }) - - const info = getConnInfo(c) - - expect(info.remote.address).toBe(ip) - }) + }) + const info = getConnInfo(c) + expect(info.remote.address).toBe(expected) + } + ) it('Should return undefined when no x-forwarded-for header', () => { const c = new Context(new Request('http://localhost/'), {
src/adapter/aws-lambda/conninfo.ts+3 −2 modified@@ -59,8 +59,9 @@ export const getConnInfo: GetConnInfo = (c: Context<Env>) => { else { const xff = c.req.header('x-forwarded-for') if (xff) { - // First IP is the client - address = xff.split(',')[0].trim() + const ips = xff.split(',') + // ALB appends the real client IP to the end of the header + address = ips[ips.length - 1].trim() } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xh87-mx6m-69f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27700ghsaADVISORY
- github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7ghsax_refsource_MISCWEB
- github.com/honojs/hono/releases/tag/v4.12.2ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.