Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
Published: 2026-02-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: IP-based authentication bypass
Action: Apply Patch
AI Analysis

Impact

Hono is a JavaScript web framework that runs on any JavaScript runtime. In versions 4.12.0 and 4.12.1 the getConnInfo function incorrectly parses the X-Forwarded-For header by taking its first value. Because an AWS Application Load Balancer appends the real client IP to the end of the header, the first entry can be supplied by an attacker. This flaw allows an attacker to forge the header and bypass IP-based access control mechanisms such as the ipRestriction middleware, effectively gaining authenticated access without proper credentials.

Affected Systems

Affected systems are deployments of the Hono framework v4.12.0 through v4.12.1 running on Node.js when used with the AWS Lambda adapter behind an AWS Application Load Balancer. The issue is present only in those specific versions; the fix was introduced in version 4.12.2.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity, but its EPSS score is below 1 % and it is not listed in the CISA KEV catalog, suggesting a low current exploitation chance. The attack vector would involve an attacker sending traffic to the ALB with a forged X-Forwarded-For header; the framework then uses the attacker-controlled value for IP checks, allowing a bypass. No known public exploits exist yet, but the flaw can be mitigated by upgrading or reconfiguring the load balancer or framework.

Generated by OpenCVE AI on April 16, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hono framework to version 4.12.2 or later.
  • If an upgrade is not immediately possible, modify IP-restriction logic to validate the last value of X-Forwarded-For or reject requests with multiple entries in the header.
  • Reconfigure the AWS ALB to discontinue inclusion of X-Forwarded-For or to use a trusted header such as X-Real-Ip and adjust the Lambda adapter accordingly.

Generated by OpenCVE AI on April 16, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh87-mx6m-69f3 Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
History

Mon, 02 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
Title Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Weaknesses CWE-290
CWE-345
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:01:28.403Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27700

cve-icon Vulnrichment

Updated: 2026-02-27T17:01:23.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T16:23:26.440

Modified: 2026-03-02T16:17:53.100

Link: CVE-2026-27700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses