CVE-2026-39409

MEDIUM

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Title source: cna

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.

References (3)

Scores

CVSS v3 5.3
EPSS 0.0001
EPSS Percentile 1.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-180
Status published
Products (3)
hono/hono < 4.12.11
honojs/hono < 4.12.12
npm/hono 0 - 4.12.12npm
Published Apr 08, 2026
Tracked Since Apr 08, 2026