DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24398: Hono IP Spoofing: When 255 + 100 Equals Access

#security #cve #cybersecurity

Hono IP Spoofing: When 255 + 100 Equals Access

Vulnerability ID: CVE-2026-24398
CVSS Score: 4.8
Published: 2026-01-27

A logic flaw in Hono's IP address validation middleware allows attackers to bypass IP-based access controls by supplying malformed IPv4 addresses that trigger an integer overflow during binary conversion.

TL;DR

Hono versions prior to 4.11.7 used a lazy regular expression to validate IPv4 addresses, accepting values > 255 in octets. When processed, these large values overflow into adjacent octets (e.g., 1.2.2.355 becomes 1.2.3.99), allowing attackers to spoof trusted IPs or bypass blocklists.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-185 (Incorrect Regular Expression)
  • CVSS: 4.8 (Medium)
  • Attack Vector: Network
  • Impact: Security Bypass / IP Spoofing
  • Patch Commit: edbf6eea8e6c26a3937518d4ed91d8666edeec37
  • Exploit Complexity: High (Requires knowledge of target IP/ACL)

Affected Systems

  • Hono Web Framework (JavaScript/TypeScript)
  • Hono IP Restriction Middleware
  • Hono: < 4.11.7 (Fixed in: 4.11.7)

Code Analysis

Commit: edbf6ee

fix: make the IPV4 regex strict

- const IPV4_REGEX = /^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/
+ const IPV4_OCTET_PART = '(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])'
+ const IPV4_REGEX = new RegExp(`^(?:${IPV4_OCTET_PART}\\.){3}${IPV4_OCTET_PART}$`)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Proof of concept involves sending an IP with octets > 255 to overflow adjacent values.

Mitigation Strategies

  • Input Validation Hardening
  • Strict Proxy Trust Configuration
  • Dependency Management

Remediation Steps:

  1. Upgrade Hono to version 4.11.7 or later immediately.
  2. Audit any custom middleware that performs IP validation using regex; ensure it strictly enforces the 0-255 range.
  3. If relying on X-Forwarded-For headers, ensure your application explicitly defines trusted proxies to prevent header spoofing from untrusted sources.

References

Read the full report for CVE-2026-24398 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)