express-rate-limit, Rate Limiting Bypass (Critical)

Listen to this Post

The vulnerability in express-rate-limit versions 8.0.0 to 8.2.1 stems from the default keyGenerator function, which applies IPv6 subnet masking (default /56) to any address net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses like ::ffff:x.x.x.x, returned as request.ip on dual-stack servers. Since the first 80 bits of all IPv4-mapped addresses are zero, a /56 subnet mask always produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket. An attacker can exhaust this shared bucket from one IPv4 client, causing HTTP 429 for all other IPv4 clients, leading to denial of service. The issue occurs in default configurations without special options. The fix, implemented in commit 14e5388 and released in v8.3.0 and backports, modifies keyGenerator to handle IPv4-mapped addresses correctly, ensuring unique keys for IPv4 clients.
Platform: express-rate-limit
Version: v8.0.0 – v8.2.1
Vulnerability: IPv4-mapped IPv6 key collision
Severity: Critical
date: 2023-10-04

Prediction: Patched in v8.3.0

What Undercode Say:

Analytics:

Proof of concept code to demonstrate the vulnerability
const { isIPv6 } = require('net');
const { Address6 } = require('ip-address');
function ipKeyGenerator(ip, ipv6Subnet = 56) {
if (ipv6Subnet && isIPv6(ip)) {
return <code>${new Address6(</code>${ip}/${ipv6Subnet}<code>).startAddress().correctForm()}/${ipv6Subnet}</code>;
}
return ip;
}
console.log(ipKeyGenerator('::ffff:192.168.1.1', 56)); // ::/56
console.log(ipKeyGenerator('::ffff:10.0.0.1', 56)); // ::/56
console.log(ipKeyGenerator('::ffff:8.8.8.8', 56)); // ::/56

How Exploit:

An attacker can send continuous requests from a single IPv4 client to a dual-stack server using default express-rate-limit. This consumes the shared rate limit key (::/56), triggering HTTP 429 for all IPv4 clients and blocking their access.

Protection from this CVE:

Upgrade to express-rate-limit v8.3.0, v8.2.2, v8.1.1, or v8.0.2. Alternatively, implement a custom keyGenerator to extract IPv4 from mapped addresses, e.g., using ip.split(':').pop().

Impact:

Denial of service for all IPv4 clients due to shared rate limit bucket exhaustion by a single attacker. Affects applications on dual-stack Node.js servers with default configuration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

D-Link DIR-513, Stack Buffer Overflow, CVE-2025-70230 (Critical)

Scroll to Top