express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
Description
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
express-rate-limitnpm | >= 8.2.0, < 8.2.2 | 8.2.2 |
express-rate-limitnpm | >= 8.1.0, < 8.1.1 | 8.1.1 |
express-rate-limitnpm | >= 8.0.0, < 8.0.2 | 8.0.2 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/express-rate-limit
< 9.1.10-r7+ 12 more
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.6-r1
- (no CPE)range: < 9.2.6-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.162.0-r1
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: >= 8.2.0, < 8.2.2
- Range: >= 8.0.0, < 8.0.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-46wh-pxpv-q5gqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30827ghsaADVISORY
- github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4ghsax_refsource_MISCWEB
- github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.