Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Hono Incorrectly Handles IPv4 Addresses in Some IPv6 Requests
GHSA-xpcf-pg52-r92g
CVE-2026-39409
GHSA-xpcf-pg52-r92g
Summary
If you use Hono to restrict access to your application, it may incorrectly allow or deny requests from IPv4 clients when they're connected to a system that uses both IPv4 and IPv6. This can happen if a client's IP address is displayed as an IPv6 address with an IPv4 address embedded inside. To fix this, you'll need to update your Hono configuration to correctly identify and handle these types of addresses.
What to do
- Update yusukebe hono to version 4.12.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.12 | 4.12.12 |
Original title
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Original description
## Summary
`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.
## Details
The middleware classifies client addresses based on their textual form. Addresses containing "`:`" are treated as IPv6, including IPv4-mapped IPv6 addresses such as `::ffff:127.0.0.1`. These addresses are not normalized to IPv4 before matching.
As a result:
* IPv4 static rules (e.g. `127.0.0.1`) do not match because the raw string differs
* IPv4 CIDR rules (e.g. `127.0.0.0/8`, `10.0.0.0/8`) are skipped because the address is treated as IPv6
For example, with:
`denyList: ['127.0.0.1']`
a request from `127.0.0.1` may be represented as `::ffff:127.0.0.1` and bypass the deny rule.
This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.
## Impact
Applications that rely on IPv4-based `ipRestriction()` rules may incorrectly allow or deny requests.
In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.
`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.
## Details
The middleware classifies client addresses based on their textual form. Addresses containing "`:`" are treated as IPv6, including IPv4-mapped IPv6 addresses such as `::ffff:127.0.0.1`. These addresses are not normalized to IPv4 before matching.
As a result:
* IPv4 static rules (e.g. `127.0.0.1`) do not match because the raw string differs
* IPv4 CIDR rules (e.g. `127.0.0.0/8`, `10.0.0.0/8`) are skipped because the address is treated as IPv6
For example, with:
`denyList: ['127.0.0.1']`
a request from `127.0.0.1` may be represented as `::ffff:127.0.0.1` and bypass the deny rule.
This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.
## Impact
Applications that rely on IPv4-based `ipRestriction()` rules may incorrectly allow or deny requests.
In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.
ghsa CVSS4.0
6.3
Vulnerability type
CWE-180
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026