CVE-2026-27700

Description

## Summary When using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. ## Details In ALB environments, AWS appends the actual client IP address to the end of any existing `X-Forwarded-For` header value. However, the previous implementation of `getConnInfo()` extracted the leftmost IP address: ```ts address = xff.split(',')[0].trim() ``` If a client sent: ``` X-Forwarded-For: <spoofed-ip> ``` ALB would forward: ``` X-Forwarded-For: <spoofed-ip>, <real-client-ip> ``` Since the implementation selected the first value, the spoofed IP address was trusted. This affected applications using: ```ts ipRestriction(getConnInfo, { allowList: [...] }) ``` or any custom middleware relying on `getConnInfo(c).remote.address` for authorization decisions. The issue only affects deployments using the AWS Lambda adapter behind an ALB. API Gateway (v1/v2) and Lambda Function URLs are not affected, as they use AWS-provided source IP values from `requestContext`. ## Impact An unauthenticated remote attacker could bypass IP-based access restrictions by supplying a crafted `X-Forwarded-For` header. This may allow access to resources that were intended to be restricted by IP address. Only applications deployed behind an ALB and relying on `getConnInfo()` for IP-based authorization are affected.

How to fix CVE-2026-27700

To remediate CVE-2026-27700, upgrade the affected package to a fixed version below.

• —upgrade to 4.12.2 or later

Is CVE-2026-27700 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)