PT-2026-23791 · Unknown · Express-Rate-Limit
Tinkanet
·
Published
2026-03-06
·
Updated
2026-05-18
·
CVE-2026-30827
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
express-rate-limit versions 8.0.0 through 8.0.1
express-rate-limit versions 8.1.0 through 8.1.1
express-rate-limit versions 8.2.0 through 8.2.1
Description
The default keyGenerator in express-rate-limit incorrectly applies IPv6 subnet masking to IPv4-mapped IPv6 addresses. This results in all IPv4 traffic being placed into a single rate-limit bucket. Consequently, a single client exhausting the rate limit can cause HTTP 429 errors for all other IPv4 clients. The issue occurs on Node.js dual-stack servers where
request.ip contains IPv4-mapped IPv6 addresses. This affects the default keyGenerator configuration only. The issue can lead to a denial of service, as a single client can block all IPv4 traffic.Recommendations
Update to express-rate-limit version 8.0.2.
Update to express-rate-limit version 8.1.1.
Update to express-rate-limit version 8.2.2.
Update to express-rate-limit version 8.3.0.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Express-Rate-Limit