CVE-2026-27700 PUBLISHED

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Assigner: GitHub_M
Reserved: 23.02.2026 Published: 25.02.2026 Updated: 25.02.2026

Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed. Version 4.12.2 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	honojs
Product	hono
Versions	Version >= 4.12.0, < 4.12.2 is affected

References

Problem Types

CWE-345: Insufficient Verification of Data Authenticity CWE
CWE-290: Authentication Bypass by Spoofing CWE