Nixpkgs security tracker
8.2 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
References
-
https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3 x_refsource_CONFIRM
-
https://github.com/honojs/hono/releases/tag/v4.12.2 x_refsource_MISC
Affected products
- ==>= 4.12.0, < 4.12.2
Matching in nixpkgs
pkgs.libsForQt5.phonon
Multimedia API for Qt
pkgs.kdePackages.phonon
Multi-platform sound framework for application developers
pkgs.kdePackages.phonon-vlc
VLC backend for the Phonon multimedia library
pkgs.plasma5Packages.phonon
Multimedia API for Qt
pkgs.typstPackages.phonokit
A toolkit to create phonological representations
pkgs.python312Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.python313Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.python314Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.typstPackages.phonokit_0_0_1
Phonology toolkit: IPA transcription (tipa-style), prosodic structures, vowel/consonant charts with language inventories
pkgs.typstPackages.phonokit_0_2_0
Create phonological representations
pkgs.typstPackages.phonokit_0_3_0
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_5
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_6
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_7
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_4_0
A toolkit to create phonological representations
pkgs.libsForQt5.phonon-backend-vlc
GStreamer backend for Phonon
pkgs.python312Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
pkgs.python313Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
-
nixos-unstable 7.9.0-unstable-2025-12-31
- nixpkgs-unstable 7.9.0-unstable-2025-12-31
- nixos-unstable-small 7.9.0-unstable-2025-12-31
pkgs.python314Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
-
nixos-unstable 7.9.0-unstable-2025-12-31
- nixpkgs-unstable 7.9.0-unstable-2025-12-31
- nixos-unstable-small 7.9.0-unstable-2025-12-31
pkgs.plasma5Packages.phonon-backend-vlc
GStreamer backend for Phonon
pkgs.libsForQt5.phonon-backend-gstreamer
GStreamer backend for Phonon
Package maintainers
-
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
-
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
-
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
-
@K900 Ilya K. <me@0upti.me>
-
@mjm Matt Moriarity <matt@mattmoriarity.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@PsyanticY Psyanticy <iuns@outlook.fr>
-
@CHN-beta Haonan Chen <chn@chn.moe>
-
@cherrypiejam Gongqi Huang
-
@RossSmyth Ross Smyth