Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-24398

4.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months, 2 weeks ago

Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.

References

https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh x_refsource_CONFIRM
https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 x_refsource_MISC
https://github.com/honojs/hono/releases/tag/v4.11.7 x_refsource_MISC

Affected products

hono

==< 4.11.7

Matching in nixpkgs

pkgs.libsForQt5.phonon

Multimedia API for Qt

nixos-unstable 4.11.1
- nixpkgs-unstable 4.11.1
- nixos-unstable-small 4.11.1
nixos-25.11 4.11.1
- nixpkgs-25.11-darwin 4.11.1

pkgs.kdePackages.phonon

Multi-platform sound framework for application developers

nixos-unstable 4.12.0
- nixpkgs-unstable 4.12.0
- nixos-unstable-small 4.12.0
nixos-25.11 4.12.0
- nixpkgs-25.11-darwin 4.12.0

pkgs.kdePackages.phonon-vlc

VLC backend for the Phonon multimedia library

nixos-unstable 0.12.0
- nixpkgs-unstable 0.12.0
- nixos-unstable-small 0.12.0
nixos-25.11 0.12.0
- nixpkgs-25.11-darwin 0.12.0

pkgs.plasma5Packages.phonon

Multimedia API for Qt

nixos-unstable 4.11.1
- nixpkgs-unstable 4.11.1
- nixos-unstable-small 4.11.1
nixos-25.11 4.11.1
- nixpkgs-25.11-darwin 4.11.1

pkgs.python312Packages.phonopy

Modulefor phonon calculations at harmonic and quasi-harmonic levels

nixos-unstable 2.38.2
- nixpkgs-unstable 2.38.2
- nixos-unstable-small 2.38.2
nixos-25.11 2.43.2
- nixpkgs-25.11-darwin 2.43.2

pkgs.python313Packages.phonopy

Modulefor phonon calculations at harmonic and quasi-harmonic levels

nixos-unstable 2.38.2
- nixpkgs-unstable 2.38.2
- nixos-unstable-small 2.38.2
nixos-25.11 2.43.2
- nixpkgs-25.11-darwin 2.43.2

pkgs.libsForQt5.phonon-backend-vlc

GStreamer backend for Phonon

nixos-unstable 0.11.3
- nixpkgs-unstable 0.11.3
- nixos-unstable-small 0.11.3
nixos-25.11 0.11.3
- nixpkgs-25.11-darwin 0.11.3

pkgs.python312Packages.pythonocc-core

Python wrapper for the OpenCASCADE 3D modeling kernel

nixos-unstable 7.8.1.1
- nixpkgs-unstable 7.8.1.1
- nixos-unstable-small 7.8.1.1
nixos-25.11 7.8.1.1
- nixpkgs-25.11-darwin 7.8.1.1

pkgs.python313Packages.pythonocc-core

Python wrapper for the OpenCASCADE 3D modeling kernel

nixos-unstable 7.8.1.1
- nixpkgs-unstable 7.8.1.1
- nixos-unstable-small 7.8.1.1
nixos-25.11 7.8.1.1
- nixpkgs-25.11-darwin 7.8.1.1

pkgs.plasma5Packages.phonon-backend-vlc

GStreamer backend for Phonon

nixos-unstable 0.11.3
- nixpkgs-unstable 0.11.3
- nixos-unstable-small 0.11.3
nixos-25.11 0.11.3
- nixpkgs-25.11-darwin 0.11.3

pkgs.libsForQt5.phonon-backend-gstreamer

GStreamer backend for Phonon

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0
nixos-25.11 4.10.0
- nixpkgs-25.11-darwin 4.10.0

pkgs.plasma5Packages.phonon-backend-gstreamer

GStreamer backend for Phonon

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0
nixos-25.11 4.10.0
- nixpkgs-25.11-darwin 4.10.0

Package maintainers

@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
@K900 Ilya K. <me@0upti.me>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@mjm Matt Moriarity <matt@mattmoriarity.com>
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
@NickCao Nick Cao <nickcao@nichi.co>
@PsyanticY Psyanticy <iuns@outlook.fr>
@CHN-beta Haonan Chen <chn@chn.moe>