CVE-2026-27700
HIGH8.2EPSS 0.01%Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Description
## Summary When using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. ## Details In ALB environments, AWS appends the actual client IP address to the end of any existing `X-Forwarded-For` header value. However, the previous implementation of `getConnInfo()` extracted the leftmost IP address: ```ts address = xff.split(',')[0].trim() ``` If a client sent: ``` X-Forwarded-For: <spoofed-ip> ``` ALB would forward: ``` X-Forwarded-For: <spoofed-ip>, <real-client-ip> ``` Since the implementation selected the first value, the spoofed IP address was trusted. This affected applications using: ```ts ipRestriction(getConnInfo, { allowList: [...] }) ``` or any custom middleware relying on `getConnInfo(c).remote.address` for authorization decisions. The issue only affects deployments using the AWS Lambda adapter behind an ALB. API Gateway (v1/v2) and Lambda Function URLs are not affected, as they use AWS-provided source IP values from `requestContext`. ## Impact An unauthenticated remote attacker could bypass IP-based access restrictions by supplying a crafted `X-Forwarded-For` header. This may allow access to resources that were intended to be restricted by IP address. Only applications deployed behind an ALB and relying on `getConnInfo()` for IP-based authorization are affected.
Affected packages (1)
- npm/hono>= 4.12.0, < 4.12.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |