The vulnerability lies in the ip-restriction middleware of Hono, where incoming IP addresses are compared to deny and allow rules using string equality after only partial normalization. Because non‑canonical IPv6 formats—such as compressed forms, explicit‑zero forms, or IPv4‑mapped hex notation—do not match the stored rule entries, the rule evaluation is silently skipped. This flaw effectively permits traffic from seemingly blocked addresses to bypass the framework’s IP filtering, exposing the application to unauthorized HTTP requests that would normally be denied.

The flaw affects the Hono web‑application framework (honojs:hono) version 4.12.21 and earlier; deployments that have not applied the fix in version 4.12.21 or later are vulnerable. The issue is tied to the ip‑restriction middleware provided by hono/ip‑restriction.

The CVSS score of 5.3 reflects a moderate impact; the vulnerability is a server‑side input validation error that allows bypassing IP restrictions. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog, indicating that exploitation has not been observed on a large scale yet. Adversaries can exploit it by sending requests with non‑canonical IPv6 addresses to the Hono application endpoints, assuming the target environment does not enforce external firewall rules that block or sanitize IPv6 traffic.