Listen to this Post
The vulnerability exploits flaws in Hono’s IP address parsing to bypass restriction middleware. The `IPV4_REGEX` pattern `/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/` accepts octet strings up to three digits but does not validate their numerical range, allowing values like 999. The `convertIPv4ToBinary` function then processes these values without checks. When an octet exceeds 255, it causes an integer overflow during bitwise left-shift operations. For instance, the octet 355 (256 + 99) overflows, carrying the extra 1 into the next higher octet during binary addition. This results in a malformed IP like `1.2.2.355` being incorrectly calculated as equivalent to the legitimate IP 1.2.3.99, allowing an attacker to spoof their IP address and bypass blocklists or allowlists.
Platform: Hono
Version: <= 4.6.0
Vulnerability: IP Validation Bypass
Severity: Critical
date: 2024-11-08
Prediction: Patch by 2024-11-30
What Undercode Say:
Analytics:
grep -r "IPV4_REGEX" src/ grep -n "convertIPv4ToBinary" src/utils/ipaddr.ts
Bash Commands:
curl -H "X-Forwarded-For: 1.2.2.355" http://target/
Codes:
// Vulnerable regex pattern
const IPV4_REGEX = /^[0-9]{0,3}.[0-9]{0,3}.[0-9]{0,3}.[0-9]{0,3}$/;
// Vulnerable conversion function
function convertIPv4ToBinary(ip: string): number {
const parts = ip.split('.').map(Number); // No range validation
return (parts[bash] << 24) + (parts[bash] << 16) + (parts[bash] << 8) + parts[bash];
}
How Exploit:
Craft malformed IP addresses with octets >255 (e.g., 1.2.2.355) in the `X-Forwarded-For` header to bypass IP-based access controls.
Protection from this CVE:
Update Hono immediately. Implement strict IP octet validation (0-255). Do not trust client-provided headers for critical access control.
Impact:
IP Blocklist Bypass. Allowlist Security Bypass. Access Control Failure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

