ByteOS Network

CVE Vulnerability Details :

CVE-2026-47674

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-28 May, 2026 | 15:29

Updated At-28 May, 2026 | 15:29

▼CVE Numbering Authority (CNA)

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.

Affected Products

Vendor

honojs

Product

hono

Versions

Affected

< 4.12.21

Problem Types

Type	CWE ID	Description
CWE	CWE-185	CWE-185: Incorrect Regular Expression
CWE	CWE-1289	CWE-1289: Improper Validation of Unsafe Equivalence in Input

Type: CWE

CWE ID: CWE-185

Description: CWE-185: Incorrect Regular Expression

Type: CWE

CWE ID: CWE-1289

Description: CWE-1289: Improper Validation of Unsafe Equivalence in Input

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Hyperlink	Resource
https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5	x_refsource_CONFIRM

Hyperlink: https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5

Resource:

x_refsource_CONFIRM

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References