Hono Web Framework IP Restriction Middleware Denial of Service Vulnerability

A vulnerability in the Hono web application framework's IP restriction middleware prior to version 4.12.21 allows for the bypass of static deny rules for non-canonical IPv6 addresses. The middleware compares incoming IP addresses against configured rules using string equality after partial normalization. This approach fails to recognize certain representations of IPv6 addresses, such as compressed forms or hex-notation IPv4-mapped addresses, leading to unauthorized access where IP-based restrictions are intended.

Impact

This vulnerability can result in unauthorized access to endpoints that are supposed to be restricted based on IP address. It allows for the bypass of IP-based access controls, particularly in environments where the source IP address is provided in a non-canonical form, such as through proxy headers or custom implementations that return invalid IP strings.

Remediation

Users can upgrade to Hono version 4.12.21 or later to address this vulnerability.