CVE-2026-47674— Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47674
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不正确的正则表达式
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hono 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.12.21之前版本存在安全漏洞,该漏洞源于ip-restriction中间件在部分规范化后使用字符串相等性比较IP地址,可能导致非规范IPv6表示形式绕过静态规则。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47674
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47674
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47674 (1)
Same Patch Batch · honojs · 2026-05-28 · 4 CVEs total
| CVE-2026-47676 | 5.3 MEDIUM | Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for |
| CVE-2026-47673 | 4.8 MEDIUM | Hono: JWT middleware accepts any Authorization scheme, not only Bearer |
| CVE-2026-47675 | 4.3 MEDIUM | Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection |
IV. Related Vulnerabilities
Same product: hono
- CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not o - CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, - CVE-2026-47676
Hono: app.mount() strips mount prefix using undecoded path, - CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J
Same vendor: honojs
- CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not o - CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, - CVE-2026-47676
Hono: app.mount() strips mount prefix using undecoded path, - CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J
Same weakness: CWE-185
- CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypa - CVE-2026-4296
Incorrect Regular Expression vulnerability in GitHub Enterpr - CVE-2026-25542
Tekton Pipelines: VerificationPolicy regex pattern bypass vi - CVE-2026-39350
Istio AuthorizationPolicy Incorrect Regex Matching of Dots i - CVE-2026-33418
@dicebear/converter ensureSize() Vulnerable to SVG Dimension
V. Comments for CVE-2026-47674
No comments yet