CVE-2026-47674
EUVD-2026-3292628.05.2026, 17:16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| hono | hono | 𝑥 < 4.12.21 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration