CVE-2026-27700

Name of the Vulnerable Software and Affected Versions Hono versions 4.12.0 through 4.12.1

Description Hono is a Web application framework that provides support for any JavaScript runtime. When using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms, such as the ipRestriction middleware, to be bypassed. The X-Forwarded-For header is used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Recommendations Versions prior to 4.12.2 are affected. Update to version 4.12.2 or later to resolve this issue.