CVE-2026-47674: Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

June 4, 2026

The ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped.

References

github.com/advisories/GHSA-xrhx-7g5j-rcj5
github.com/honojs/hono/commit/c831020fb1fa2e929d222f6c84e1abfe013e512b
github.com/honojs/hono/releases/tag/v4.12.21
github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5
nvd.nist.gov/vuln/detail/CVE-2026-47674

Code Behaviors & Features

Detect and mitigate CVE-2026-47674 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →