CVE-2026-27700 in hono
Summary
by MITRE • 02/25/2026
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability described in CVE-2026-27700 affects the Hono web application framework, specifically impacting versions 4.12.0 and 4.12.1 when utilizing the AWS Lambda adapter behind an Application Load Balancer environment. This issue stems from a critical flaw in the `getConnInfo()` function's handling of the `X-Forwarded-For` HTTP header, which is commonly used to identify the original client IP address when requests pass through proxies or load balancers. The problem manifests when Hono processes requests through AWS Application Load Balancer, which appends the genuine client IP address to the end of the `X-Forwarded-For` header rather than the beginning, creating a scenario where the first value in the header chain may be manipulated by attackers.
The technical flaw represents a classic case of improper input validation and trust assumptions in network security contexts. When the `getConnInfo()` function processes the `X-Forwarded-For` header, it incorrectly assumes that the first value in the comma-separated list represents the original client IP address. However, in AWS ALB environments, the load balancer appends the real client IP to the end of the header, meaning the first value could be controlled by an attacker who manipulates the header to include malicious IP addresses. This misinterpretation directly undermines the security of IP-based access control mechanisms such as the `ipRestriction` middleware, which relies on accurate IP address identification to enforce access policies.
The operational impact of this vulnerability is significant for organizations deploying Hono applications behind AWS ALB infrastructure. Attackers who can manipulate HTTP headers can bypass IP-based access controls, potentially gaining unauthorized access to protected resources or services that should only be accessible from specific IP ranges. This vulnerability particularly affects applications that depend on IP restrictions for security boundaries, such as API gateways, administrative interfaces, or services with geolocation-based access controls. The issue creates a direct path for privilege escalation and unauthorized access, making it a critical concern for security-conscious deployments.
The fix implemented in version 4.12.2 addresses this vulnerability by correcting the logic in the `getConnInfo()` function to properly handle the `X-Forwarded-For` header structure when used with AWS ALB. This update ensures that the framework correctly identifies the original client IP address by examining the header in a manner consistent with standard proxy header handling practices. The mitigation aligns with security best practices for HTTP header processing and demonstrates the importance of understanding how different infrastructure components modify request headers. Organizations should prioritize updating to version 4.12.2 or later to remediate this vulnerability, while also implementing additional monitoring to detect potential exploitation attempts targeting IP-based access controls. This vulnerability classification aligns with CWE-284 (Improper Access Control) and may be relevant to ATT&CK techniques involving privilege escalation and access control bypass through header manipulation.