What is CVE-2026-24398?

## Summary IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. ## Details The vulnerability exists in two components: 1. **Permissive regex pattern:** The `IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/)` accepts octet values greater than 255 (e.g., `999`). 2. **Unsafe binary conversion:** The `convertIPv4ToBinary` function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation. For example, the IP address `1.2.2.355` is accepted and converts to the same binary value as 1.2.3.99: * `355` = `256 + 99` = `0x163` * After bit-shifting: `(1 << 24) + (2 << 16) + (2 << 8) + 355` = `0x01020363` = `1.2.3.99` ## Impact An attacker can bypass IP-based restrictions by crafting malformed IP addresses: * **Blocklist bypass:** If `1.2.3.0/24` is blocked, an attacker can use `1.2.2.355` (or similar) to bypass the restriction. * **Allowlist bypass:** Requests from unauthorized IP ranges may be incorrectly permitted. This is exploitable when the application relies on client-provided IP addresses (e.g., `X-Forwarded-For header`) for access control decisions. ## Affected Components * IP Restriction Middleware * `src/utils/ipaddr.ts`: `IPV4_REGEX`, `convertIPv4ToBinary`, `distinctRemoteAddr`

What is the severity of CVE-2026-24398?

CVE-2026-24398 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-24398?

No known public exploits are currently available for CVE-2026-24398.

Is there a patch available for CVE-2026-24398?

Yes, patches are available for CVE-2026-24398. Check the vendor advisories for update instructions.

CVE-2026-24398 - CVE Details, Severity, and Analysis

Q: What is the severity of CVE-2026-24398?

CVE-2026-24398 has a CVSS v3 score of 0, which is classified as Low severity.

Q: Is there an exploit available for CVE-2026-24398?

No known public exploits are currently available for CVE-2026-24398.

Q: Is there a patch available for CVE-2026-24398?

Yes, patches are available for CVE-2026-24398. Check the vendor advisories for update instructions.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.

Details

The vulnerability exists in two components:

Permissive regex pattern: The IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/) accepts octet values greater than 255 (e.g., 999).
Unsafe binary conversion: The convertIPv4ToBinary function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.

For example, the IP address 1.2.2.355 is accepted and converts to the same binary value as 1.2.3.99:

355 = 256 + 99 = 0x163
After bit-shifting: (1 << 24) + (2 << 16) + (2 << 8) + 355 = 0x01020363 = 1.2.3.99

Impact

An attacker can bypass IP-based restrictions by crafting malformed IP addresses:

Blocklist bypass: If 1.2.3.0/24 is blocked, an attacker can use 1.2.2.355 (or similar) to bypass the restriction.
Allowlist bypass: Requests from unauthorized IP ranges may be incorrectly permitted.

This is exploitable when the application relies on client-provided IP addresses (e.g., X-Forwarded-For header) for access control decisions.

Affected Components

IP Restriction Middleware
src/utils/ipaddr.ts: IPV4_REGEX, convertIPv4ToBinary, distinctRemoteAddr

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com