{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T00:12:40.240","vulnerabilities":[{"cve":{"id":"CVE-2026-27700","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T16:23:26.440","lastModified":"2026-03-02T16:17:53.100","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue."},{"lang":"es","value":"Hono es un framework de aplicación web que proporciona soporte para cualquier entorno de ejecución de JavaScript. En las versiones 4.12.0 y 4.12.1, al usar el adaptador de AWS Lambda ('hono/aws-lambda') detrás de un Application Load Balancer (ALB), la función 'getConnInfo()' seleccionó incorrectamente el primer valor del encabezado 'X-Forwarded-For'. Debido a que AWS ALB añade la dirección IP del cliente real al final del encabezado 'X-Forwarded-For', el primer valor puede ser controlado por el atacante. Esto podría permitir que los mecanismos de control de acceso basados en IP (como el middleware 'ipRestriction') fueran eludidos. La versión 4.12.2 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-290"},{"lang":"en","value":"CWE-345"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-290"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*","versionStartIncluding":"4.12.0","versionEndExcluding":"4.12.2","matchCriteriaId":"DF3B2F63-1712-4399-AEFD-660399D4B160"}]}]}],"references":[{"url":"https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/honojs/hono/releases/tag/v4.12.2","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}