CVE-2026-47674 MEDIUM

CVE-2026-47674: Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Vendor Honojs
Product hono
Weakness CWE-185
Published May 28, 2026
Last update June 2, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 2, 2026 Record updated