CVE-2026-30827 — Vulnetix

CVE-2026-30827 PUBLISHED CVSS 7.5 HIGH

express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

EPSS 0.03% · 8.3th percentile

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.03%

8.3th percentile

Affected Products

Vendor	Product	Versions
AWS	connect
npm	express-rate-limit	8.1.0, 8.0.0, 8.1.0
express-rate-limit	express-rate-limit	>= 8.0.0, < 8.0.2, ,
express-rate-limit_project	express-rate-limit	8.2.0, 8.1.0, 8.0.0

Exploit Intelligence

CIRCL seen: CVE-2026-30827 (circl-sighting)
https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4 (circl)
https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq (nist-nvd)
rateLimits.ts (github-poc)
rateLimit.ts (github-poc)
trivity-report.html (github-poc)
trivity-report.html (github-poc)
trivity-report.html (github-poc)
trivity-report.html (github-poc)
trivity-report.html (github-poc)

…and 25 more exploits

Timeline

Mar 6, 2026 CVE Published
Mar 7, 2026 EPSS Score
Mar 7, 2026 PoC Published
Mar 8, 2026 EPSS Score
Mar 9, 2026 CVE Updated
Mar 9, 2026 EPSS Score
Mar 10, 2026 Security Advisory
Mar 11, 2026 EPSS Score
Mar 12, 2026 EPSS Score
Mar 13, 2026 EPSS Score
Mar 14, 2026 EPSS Score
Mar 15, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›