{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30827", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-07T05:19:08.206Z", "dateUpdated": "2026-03-09T20:44:25.979Z"}, "containers": {"cna": {"title": "express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq"}, {"name": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4", "tags": ["x_refsource_MISC"], "url": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4"}], "affected": [{"vendor": "express-rate-limit", "product": "express-rate-limit", "versions": [{"version": ">= 8.0.0, < 8.0.2", "status": "affected"}, {"version": ">= 8.1.0, < 8.1.1", "status": "affected"}, {"version": ">= 8.2.0, < 8.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:19:53.932Z"}, "descriptions": [{"lang": "en", "value": "express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0."}], "source": {"advisory": "GHSA-46wh-pxpv-q5gq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30827", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:40:59.712815Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:44:25.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30827", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:40:59.712815Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:42:01.780Z"}}], "cna": {"title": "express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)", "source": {"advisory": "GHSA-46wh-pxpv-q5gq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "express-rate-limit", "product": "express-rate-limit", "versions": [{"status": "affected", "version": ">= 8.0.0, < 8.0.2"}, {"status": "affected", "version": ">= 8.1.0, < 8.1.1"}, {"status": "affected", "version": ">= 8.2.0, < 8.2.2"}]}], "references": [{"url": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq", "name": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4", "name": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:19:53.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30827", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:44:25.979Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:19:08.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:express-rate-limit_project:express-rate-limit:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE5ED6AB-D445-4E61-86B1-FBC0659382A0", "versionEndExcluding": "8.0.2", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:express-rate-limit_project:express-rate-limit:*:*:*:*:*:*:*:*", "matchCriteriaId": "F501D9EB-DFE4-496D-8471-61DE755B9E05", "versionEndExcluding": "8.2.2", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:express-rate-limit_project:express-rate-limit:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C56713D6-533F-424A-B511-5E63014709D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0."}, {"lang": "es", "value": "express-rate-limit es un middleware b\u00e1sico de limitaci\u00f3n de tasa para Express. En versiones a partir de la 8.0.0 y anteriores a las versiones 8.0.2, 8.1.1, 8.2.2 y 8.3.0, el keyGenerator predeterminado en express-rate-limit aplica enmascaramiento de subred IPv6 (/56 por defecto) a todas las direcciones para las que net.isIPv6() devuelve verdadero. Esto incluye direcciones IPv6 mapeadas a IPv4 (::ffff:x.x.x.x), que Node.js devuelve como request.ip en servidores de doble pila. Debido a que los primeros 80 bits de todas las direcciones mapeadas a IPv4 son cero, una m\u00e1scara de subred /56 (o cualquier /32 a /80) produce la misma clave de red (::/56) para cada cliente IPv4. Esto colapsa todo el tr\u00e1fico IPv4 en un \u00fanico cubo de limitaci\u00f3n de tasa: un cliente que agota el l\u00edmite causa HTTP 429 para todos los dem\u00e1s clientes IPv4. Este problema ha sido parcheado en las versiones 8.0.2, 8.1.1, 8.2.2 y 8.3.0."}], "id": "CVE-2026-30827", "lastModified": "2026-03-11T19:00:50.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T06:16:10.507", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "express-rate-limit: express-rate-limit: Denial of Service for IPv4 clients due to incorrect IPv6 subnet masking", "id": "2445429", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445429"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1389", "details": ["express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0."], "mitigation": {"lang": "en:us", "value": "Restrict network access to applications utilizing the express-rate-limit middleware to trusted clients or networks. Implementing firewall rules or network access controls can prevent untrusted actors from exploiting the shared rate-limit bucket vulnerability affecting IPv4-mapped IPv6 addresses on dual-stack servers."}, "name": "CVE-2026-30827", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-tech-preview/mcp-server-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-07T05:19:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30827\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30827\nhttps://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4\nhttps://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,8.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.2.0,8.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "express-rate-limit", "source": "cna", "vendor": "express-rate-limit"}, "product": "express-rate-limit", "vendor": "express-rate-limit"}], "analysis": {"en": {"generated_at": "2026-04-17T12:14:56.741363+00:00", "value": {"mitigation_remediation": ["Upgrade express\u2011rate\u2011limit to a patched release (\u22658.0.2, \u22658.1.1, \u22658.2.2, or \u22658.3.0).", "Configure a custom keyGenerator callback that strips the ::ffff: prefix or uses the raw IPv4 address when the request is identified as IPv4\u2011mapped, ensuring each client receives a distinct bucket.", "Run the application on a Node.js instance configured for IPv4 only, or otherwise disable IPv6 handling on the server to prevent IPv4\u2011mapped addresses from being presented to express\u2011rate\u2011limit."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via shared rate\u2011limit bucket"}, "threat_synthesis": {"affected_systems": "The issue affects the express\u2011rate\u2011limit npm package, specifically versions 8.0.0 through 8.0.1, 8.1.0, 8.2.0\u20118.2.1, and any pre\u2011patch release older than 8.0.2, 8.1.1, 8.2.2, or 8.3.0. Environment impact is Node.js Express applications that rely on the default rate\u2011limiting middleware and run on dual\u2011stack network stacks or where IPv6 is enabled.", "description_and_impact": "The vulnerability arises from express\u2011rate\u2011limit treating IPv4\u2011mapped IPv6 addresses as a single subnet due to the default keyGenerator applying /56 masking to any address reported as IPv6. All IPv4 clients share the same network key, collapsing them into one rate\u2011limit bucket. When one such client exceeds the threshold, the middleware returns HTTP 429 for every IPv4 client on the server, effectively denying service to all non\u2011bypassable traffic. This weakness exposes a denial\u2011of\u2011service impact classified under CWE\u20111389 and CWE\u2011770. Based on the description, it is inferred that the patch replaces the default key generation so that IPv4\u2011mapped addresses are separated from each other or handled like native IPv4 addresses, restoring client\u2011specific rate limits. The affected Node.js applications expose the issue only on dual\u2011stack servers where requests from IPv4 clients are presented as IPv4\u2011mapped IPv6 values, typically via request.ip.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, placing it in the high severity range. EPSS indicates an exploitation probability of less than 1%, suggesting relatively low activity, and it is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that attackers can exploit this remotely by sending excessive requests from a single IPv4 client on a dual\u2011stack server, triggering the shared bucket. The impact is the denial of service to all other IPv4 clients. While the flaw is network\u2011accessible, it does not require privileged credentials or local access, making it feasible for attackers controlling a single client connection, based on the description. The likely attack vector involves a remote client manipulating request.ip over IPv6 to trigger the shared bucket. The effective attack surface is the rate\u2011limit configuration exposed by express\u2011rate\u2011limit in production deployments."}}}}, "created": "2026-03-09T10:05:53.671309+00:00", "updated": "2026-04-17T12:15:18.178321+00:00", "vendors": ["express-rate-limit", "express-rate-limit$PRODUCT$express-rate-limit"]}