CVE-2026-47674: CWE-185: Incorrect Regular Expression in honojs hono
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
AI Analysis
Technical Summary
The honojs hono framework's ip-restriction middleware prior to version 4.12.21 performs IP address comparisons using string equality after partial normalization. This approach fails to correctly handle non-canonical IPv6 address representations such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses. As a result, IP addresses that should be matched by static deny or allow rules may be bypassed because their non-canonical forms do not match the normalized rule entries. This vulnerability is identified as CWE-185 (Incorrect Regular Expression) and CWE-1289, and is addressed by updating to version 4.12.21.
Potential Impact
The vulnerability allows an attacker to bypass IP-based access control rules configured in the ip-restriction middleware by using non-canonical IPv6 address representations. This can lead to unauthorized access if IP restrictions are relied upon for security. The CVSS score of 5.3 (medium severity) reflects the network attack vector, low complexity, no privileges required, no user interaction, and impact limited to integrity (bypassing restrictions) without confidentiality or availability impact.
Mitigation Recommendations
A fix is available in honojs hono version 4.12.21. Users should upgrade to this version or later to ensure correct normalization and matching of IP addresses in the ip-restriction middleware. No other mitigation is indicated by the vendor advisory or data provided.
CVE-2026-47674: CWE-185: Incorrect Regular Expression in honojs hono
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The honojs hono framework's ip-restriction middleware prior to version 4.12.21 performs IP address comparisons using string equality after partial normalization. This approach fails to correctly handle non-canonical IPv6 address representations such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses. As a result, IP addresses that should be matched by static deny or allow rules may be bypassed because their non-canonical forms do not match the normalized rule entries. This vulnerability is identified as CWE-185 (Incorrect Regular Expression) and CWE-1289, and is addressed by updating to version 4.12.21.
Potential Impact
The vulnerability allows an attacker to bypass IP-based access control rules configured in the ip-restriction middleware by using non-canonical IPv6 address representations. This can lead to unauthorized access if IP restrictions are relied upon for security. The CVSS score of 5.3 (medium severity) reflects the network attack vector, low complexity, no privileges required, no user interaction, and impact limited to integrity (bypassing restrictions) without confidentiality or availability impact.
Mitigation Recommendations
A fix is available in honojs hono version 4.12.21. Users should upgrade to this version or later to ensure correct normalization and matching of IP addresses in the ip-restriction middleware. No other mitigation is indicated by the vendor advisory or data provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T21:10:38.798Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1871ece29bf47b5012459d
Added to database: 5/28/2026, 4:48:44 PM
Last enriched: 5/28/2026, 5:04:39 PM
Last updated: 5/29/2026, 10:34:24 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.