Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Express Rate Limiter Can Block All IPv4 Traffic
GHSA-46wh-pxpv-q5gq
CVE-2026-30827
GHSA-46wh-pxpv-q5gq
Summary
If you're using an outdated version of the Express rate limiter, a security issue can cause it to block all IPv4 traffic from your website, making it inaccessible to many users. This is a serious problem because it can lead to downtime and lost business. To fix it, update to the latest version of the rate limiter or configure the keyGenerator to avoid this issue.
What to do
- Update express-rate-limit to version 8.2.2.
- Update express-rate-limit to version 8.1.1.
- Update express-rate-limit to version 8.0.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | express-rate-limit | > 8.2.0 , <= 8.2.2 | 8.2.2 |
| – | express-rate-limit | 8.1.0 | 8.1.1 |
| – | express-rate-limit | > 8.0.0 , <= 8.0.2 | 8.0.2 |
| – | express-rate-limit | > 8.1.0 , <= 8.1.1 | 8.1.1 |
| express-rate-limit_project | express-rate-limit | > 8.0.0 , <= 8.0.2 | – |
| express-rate-limit_project | express-rate-limit | > 8.2.0 , <= 8.2.2 | – |
| express-rate-limit_project | express-rate-limit | 8.1.0 | – |
Original title
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-li...
Original description
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-770
Allocation of Resources Without Limits
- https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHS...
- https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b97...
- https://github.com/advisories/GHSA-46wh-pxpv-q5gq
- https://github.com/express-rate-limit/express-rate-limit Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30827
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026