CVE-2026-27700

{"id": "CVE-2026-27700", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-25T16:23:26.440", "references": [{"url": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-345"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue."}, {"lang": "es", "value": "Hono es un framework de aplicaci\u00f3n web que proporciona soporte para cualquier entorno de ejecuci\u00f3n de JavaScript. En las versiones 4.12.0 y 4.12.1, al usar el adaptador de AWS Lambda ('hono/aws-lambda') detr\u00e1s de un Application Load Balancer (ALB), la funci\u00f3n 'getConnInfo()' seleccion\u00f3 incorrectamente el primer valor del encabezado 'X-Forwarded-For'. Debido a que AWS ALB a\u00f1ade la direcci\u00f3n IP del cliente real al final del encabezado 'X-Forwarded-For', el primer valor puede ser controlado por el atacante. Esto podr\u00eda permitir que los mecanismos de control de acceso basados en IP (como el middleware 'ipRestriction') fueran eludidos. La versi\u00f3n 4.12.2 corrige el problema."}], "lastModified": "2026-03-02T16:17:53.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DF3B2F63-1712-4399-AEFD-660399D4B160", "versionEndExcluding": "4.12.2", "versionStartIncluding": "4.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}