CVE-2026-39409

MEDIUM SEVERITY

Vulnerability Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 08, 2026

CWE ID

CWE-180

Source

GitHub

Vendor

npm

Product

hono

External References

https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g
https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39
https://github.com/honojs/hono/releases/tag/v4.12.12
https://github.com/advisories/GHSA-xpcf-pg52-r92g

CVE-2026-39409

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment