{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27700", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T15:01:44.681Z", "dateUpdated": "2026-02-27T17:01:28.403Z"}, "containers": {"cna": {"title": "Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3"}, {"name": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7"}, {"name": "https://github.com/honojs/hono/releases/tag/v4.12.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.2"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": ">= 4.12.0, < 4.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T15:01:44.681Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue."}], "source": {"advisory": "GHSA-xh87-mx6m-69f3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:01:17.956003Z", "id": "CVE-2026-27700", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:01:28.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27700", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:01:17.956003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:01:23.329Z"}}], "cna": {"title": "Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo", "source": {"advisory": "GHSA-xh87-mx6m-69f3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": ">= 4.12.0, < 4.12.2"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3", "name": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7", "name": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.2", "name": "https://github.com/honojs/hono/releases/tag/v4.12.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T15:01:44.681Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27700", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:01:28.403Z", "dateReserved": "2026-02-23T17:56:51.202Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T15:01:44.681Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DF3B2F63-1712-4399-AEFD-660399D4B160", "versionEndExcluding": "4.12.2", "versionStartIncluding": "4.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue."}], "id": "CVE-2026-27700", "lastModified": "2026-03-02T16:17:53.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T16:23:26.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.12.0,4.12.2)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "hono", "source": "cna", "vendor": "honojs"}, "product": "hono", "vendor": "hono"}], "analysis": {"en": {"generated_at": "2026-04-16T16:12:50.431122+00:00", "value": {"mitigation_remediation": ["Upgrade the Hono framework to version 4.12.2 or later.", "If an upgrade is not immediately possible, modify IP-restriction logic to validate the last value of X-Forwarded-For or reject requests with multiple entries in the header.", "Reconfigure the AWS ALB to discontinue inclusion of X-Forwarded-For or to use a trusted header such as X-Real-Ip and adjust the Lambda adapter accordingly."], "summary": {"action": "Apply Patch", "impact": "IP-based authentication bypass"}, "threat_synthesis": {"affected_systems": "Affected systems are deployments of the Hono framework v4.12.0 through v4.12.1 running on Node.js when used with the AWS Lambda adapter behind an AWS Application Load Balancer. The issue is present only in those specific versions; the fix was introduced in version 4.12.2.", "description_and_impact": "Hono is a JavaScript web framework that runs on any JavaScript runtime. In versions 4.12.0 and 4.12.1 the getConnInfo function incorrectly parses the X-Forwarded-For header by taking its first value. Because an AWS Application Load Balancer appends the real client IP to the end of the header, the first entry can be supplied by an attacker. This flaw allows an attacker to forge the header and bypass IP-based access control mechanisms such as the ipRestriction middleware, effectively gaining authenticated access without proper credentials.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.2, indicating high severity, but its EPSS score is below 1\u202f% and it is not listed in the CISA KEV catalog, suggesting a low current exploitation chance. The attack vector would involve an attacker sending traffic to the ALB with a forged X-Forwarded-For header; the framework then uses the attacker-controlled value for IP checks, allowing a bypass. No known public exploits exist yet, but the flaw can be mitigated by upgrading or reconfiguring the load balancer or framework."}}}}, "created": "2026-02-26T13:15:59.807592+00:00", "updated": "2026-04-16T16:15:08.476476+00:00", "vendors": ["hono", "hono$PRODUCT$hono"]}