Medium severity5.3NVD Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-47674
CVE-2026-47674
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.21 | 4.12.21 |
Affected products
10- osv-coords7 versionspkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbc
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xrhx-7g5j-rcj5ghsaADVISORY
- github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-47674ghsaADVISORY
- github.com/honojs/hono/commit/c831020fb1fa2e929d222f6c84e1abfe013e512bghsaWEB
- github.com/honojs/hono/releases/tag/v4.12.21ghsaWEB
News mentions
1- Hono 4.12.21: Four Medium-Severity CVEs Disclosed in a Single AdvisoryVypr Intelligence · May 28, 2026