Hono Web Framework IP Restriction Middleware Authorization Bypass Vulnerability

A vulnerability exists in the Hono web application framework in versions prior to 4.12.12, specifically within the IP restriction middleware. The issue arises because the middleware does not properly canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow or deny rules. In dual-stack Node.js environments, this can lead to unintended authorization outcomes, where requests are incorrectly allowed or denied.

Impact

This vulnerability can cause applications to misapply IP-based access controls, potentially allowing unauthorized requests to be accepted or legitimate requests to be denied.

Reproduction

In a Node.js environment with dual-stack networking, configure the IP restriction middleware to use IPv4-based rules. Then, send a request from an IPv4 client that is represented as an IPv4-mapped IPv6 address (e.g., '::ffff:127.0.0.1'). The request may bypass deny rules that should have applied, demonstrating the authorization bypass.

Remediation

Users are advised to upgrade to Hono version 4.12.12, which addresses this vulnerability by properly handling IPv4-mapped IPv6 addresses in the IP restriction middleware.