Description
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
Published: 2026-03-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via shared rate‑limit bucket
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from express‑rate‑limit treating IPv4‑mapped IPv6 addresses as a single subnet due to the default keyGenerator applying /56 masking to any address reported as IPv6. All IPv4 clients share the same network key, collapsing them into one rate‑limit bucket. When one such client exceeds the threshold, the middleware returns HTTP 429 for every IPv4 client on the server, effectively denying service to all non‑bypassable traffic. This weakness exposes a denial‑of‑service impact classified under CWE‑1389 and CWE‑770. Based on the description, it is inferred that the patch replaces the default key generation so that IPv4‑mapped addresses are separated from each other or handled like native IPv4 addresses, restoring client‑specific rate limits. The affected Node.js applications expose the issue only on dual‑stack servers where requests from IPv4 clients are presented as IPv4‑mapped IPv6 values, typically via request.ip.

Affected Systems

The issue affects the express‑rate‑limit npm package, specifically versions 8.0.0 through 8.0.1, 8.1.0, 8.2.0‑8.2.1, and any pre‑patch release older than 8.0.2, 8.1.1, 8.2.2, or 8.3.0. Environment impact is Node.js Express applications that rely on the default rate‑limiting middleware and run on dual‑stack network stacks or where IPv6 is enabled.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, placing it in the high severity range. EPSS indicates an exploitation probability of less than 1%, suggesting relatively low activity, and it is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that attackers can exploit this remotely by sending excessive requests from a single IPv4 client on a dual‑stack server, triggering the shared bucket. The impact is the denial of service to all other IPv4 clients. While the flaw is network‑accessible, it does not require privileged credentials or local access, making it feasible for attackers controlling a single client connection, based on the description. The likely attack vector involves a remote client manipulating request.ip over IPv6 to trigger the shared bucket. The effective attack surface is the rate‑limit configuration exposed by express‑rate‑limit in production deployments.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade express‑rate‑limit to a patched release (≥8.0.2, ≥8.1.1, ≥8.2.2, or ≥8.3.0).
  • Configure a custom keyGenerator callback that strips the ::ffff: prefix or uses the raw IPv4 address when the request is identified as IPv4‑mapped, ensuring each client receives a distinct bucket.
  • Run the application on a Node.js instance configured for IPv4 only, or otherwise disable IPv6 handling on the server to prevent IPv4‑mapped addresses from being presented to express‑rate‑limit.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-46wh-pxpv-q5gq express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
History

Wed, 11 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Express-rate-limit Project
Express-rate-limit Project express-rate-limit
CPEs cpe:2.3:a:express-rate-limit_project:express-rate-limit:*:*:*:*:*:*:*:*
cpe:2.3:a:express-rate-limit_project:express-rate-limit:8.1.0:*:*:*:*:*:*:*
Vendors & Products Express-rate-limit Project
Express-rate-limit Project express-rate-limit

Tue, 10 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1389
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Express-rate-limit
Express-rate-limit express-rate-limit
Vendors & Products Express-rate-limit
Express-rate-limit express-rate-limit

Sat, 07 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
Title express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Express-rate-limit Express-rate-limit
Express-rate-limit Project Express-rate-limit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:25.979Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30827

cve-icon Vulnrichment

Updated: 2026-03-09T20:42:01.780Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.507

Modified: 2026-03-11T19:00:50.690

Link: CVE-2026-30827

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-07T05:19:08Z

Links: CVE-2026-30827 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses