CVE-2026-39409

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.12

Description The ipRestriction() function does not properly handle IPv4-mapped IPv6 client addresses (e.g., ::ffff:127.0.0.1) when applying IPv4 allow or deny rules. In dual-stack environments like Node.js, this can lead to IPv4 rules failing to match, resulting in incorrect authorization. The middleware classifies client addresses based on their textual form, treating IPv4-mapped IPv6 addresses as IPv6 and skipping IPv4 CIDR rules. This can allow denied IPv4 clients to bypass access restrictions or cause legitimate clients to be incorrectly rejected.

Recommendations Update to Hono version 4.12.12 or later.