8.2 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
22 packages
- libsForQt5.phonon
- kdePackages.phonon
- kdePackages.phonon-vlc
- plasma5Packages.phonon
- typstPackages.phonokit
- python312Packages.phonopy
- python313Packages.phonopy
- python314Packages.phonopy
- typstPackages.phonokit_0_0_1
- typstPackages.phonokit_0_2_0
- typstPackages.phonokit_0_3_0
- typstPackages.phonokit_0_3_5
- typstPackages.phonokit_0_3_6
- typstPackages.phonokit_0_3_7
- typstPackages.phonokit_0_4_0
- libsForQt5.phonon-backend-vlc
- python312Packages.pythonocc-core
- python313Packages.pythonocc-core
- python314Packages.pythonocc-core
- plasma5Packages.phonon-backend-vlc
- libsForQt5.phonon-backend-gstreamer
- plasma5Packages.phonon-backend-gstreamer
- @LeSuisse dismissed
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
References
- https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3 x_refsource_CONFIRM
- https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7 x_refsource_MISC
- https://github.com/honojs/hono/releases/tag/v4.12.2 x_refsource_MISC
Affected products
- ==>= 4.12.0, < 4.12.2
Ignored packages (22)
pkgs.libsForQt5.phonon
Multimedia API for Qt
pkgs.kdePackages.phonon
Multi-platform sound framework for application developers
pkgs.kdePackages.phonon-vlc
VLC backend for the Phonon multimedia library
pkgs.plasma5Packages.phonon
Multimedia API for Qt
pkgs.typstPackages.phonokit
A toolkit to create phonological representations
pkgs.python312Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.python313Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.python314Packages.phonopy
Modulefor phonon calculations at harmonic and quasi-harmonic levels
pkgs.typstPackages.phonokit_0_0_1
Phonology toolkit: IPA transcription (tipa-style), prosodic structures, vowel/consonant charts with language inventories
pkgs.typstPackages.phonokit_0_2_0
Create phonological representations
pkgs.typstPackages.phonokit_0_3_0
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_5
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_6
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_3_7
A toolkit to create phonological representations
pkgs.typstPackages.phonokit_0_4_0
A toolkit to create phonological representations
pkgs.libsForQt5.phonon-backend-vlc
GStreamer backend for Phonon
pkgs.python312Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
pkgs.python313Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
-
nixos-unstable 7.9.0-unstable-2025-12-31
- nixpkgs-unstable 7.9.0-unstable-2025-12-31
- nixos-unstable-small 7.9.0-unstable-2025-12-31
pkgs.python314Packages.pythonocc-core
Python wrapper for the OpenCASCADE 3D modeling kernel
-
nixos-unstable 7.9.0-unstable-2025-12-31
- nixpkgs-unstable 7.9.0-unstable-2025-12-31
- nixos-unstable-small 7.9.0-unstable-2025-12-31
pkgs.plasma5Packages.phonon-backend-vlc
GStreamer backend for Phonon
pkgs.libsForQt5.phonon-backend-gstreamer
GStreamer backend for Phonon