VDB
CVE-2026-24398
CVE-2026-24398
PUBLISHED
CVSS 4.800000190734863 MEDIUM
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.
EPSS 0.02% · 3.6th percentile
Risk Scores
CVSS v3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.02%
3.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| honojs | hono | < 4.11.7, < 4.11.7 |
| npm | hono | 0, 0 |
| hono | hono | 0, 0 |
Timeline
- Jan 27, 2026 CVE Published
- Jan 27, 2026 PoC Published
- Jan 28, 2026 EPSS Score
- Jan 29, 2026 CVE Updated
- Jan 29, 2026 Security Advisory
- Jan 30, 2026 EPSS Score
- Feb 2, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
References
- https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh url
- https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 url
- https://github.com/honojs/hono/releases/tag/v4.11.7 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-24398 advisory
- https://github.com/honojs/hono package