CVE-2026-24398

{"id": "CVE-2026-24398", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-01-27T19:16:16.363", "references": [{"url": "https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/releases/tag/v4.11.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-185"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue."}, {"lang": "es", "value": "Hono es un framework de aplicaci\u00f3n web que proporciona soporte para cualquier entorno de ejecuci\u00f3n de JavaScript. Antes de la versi\u00f3n 4.11.7, el Middleware de Restricci\u00f3n de IP en Hono es vulnerable a una omisi\u00f3n de validaci\u00f3n de direcci\u00f3n IP. El patr\u00f3n 'IPV4_REGEX' y la funci\u00f3n 'convertIPv4ToBinary' en 'src/utils/ipaddr.ts' no validan correctamente que los valores de octeto IPv4 est\u00e9n dentro del rango v\u00e1lido de 0-255, permitiendo a los atacantes crear direcciones IP malformadas que eluden los controles de acceso basados en IP. La versi\u00f3n 4.11.7 contiene un parche para el problema."}], "lastModified": "2026-02-04T15:34:58.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D0406A9F-E15B-452E-940A-ABF25EEAA871", "versionEndExcluding": "4.11.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}