Nixpkgs security tracker

Untriaged

Permalink CVE-2026-24398

4.8 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 3 months, 3 weeks ago Activity log

Created suggestion 3 months, 3 weeks ago

Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue.

References

https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh x_refsource_CONFIRM
https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 x_refsource_MISC
https://github.com/honojs/hono/releases/tag/v4.11.7 x_refsource_MISC

Affected products

hono

==< 4.11.7

Matching in nixpkgs

pkgs.libsForQt5.phonon

Multimedia API for Qt

nixos-unstable 4.11.1
- nixpkgs-unstable 4.11.1
- nixos-unstable-small 4.11.1

pkgs.kdePackages.phonon

Multi-platform sound framework for application developers

nixos-unstable 4.12.0
- nixpkgs-unstable 4.12.0
- nixos-unstable-small 4.12.0

pkgs.kdePackages.phonon-vlc

VLC backend for the Phonon multimedia library

nixos-unstable 0.12.0
- nixpkgs-unstable 0.12.0
- nixos-unstable-small 0.12.0

pkgs.plasma5Packages.phonon

Multimedia API for Qt

nixos-unstable 4.11.1
- nixpkgs-unstable 4.11.1
- nixos-unstable-small 4.11.1

pkgs.python312Packages.phonopy

Modulefor phonon calculations at harmonic and quasi-harmonic levels

nixos-unstable 2.43.2
- nixpkgs-unstable 2.43.2
- nixos-unstable-small 2.43.2

pkgs.python313Packages.phonopy

Modulefor phonon calculations at harmonic and quasi-harmonic levels

nixos-unstable 2.43.2
- nixpkgs-unstable 2.43.2
- nixos-unstable-small 2.43.2

pkgs.libsForQt5.phonon-backend-vlc

GStreamer backend for Phonon

nixos-unstable 0.11.3
- nixpkgs-unstable 0.11.3
- nixos-unstable-small 0.11.3

pkgs.python312Packages.pythonocc-core

Python wrapper for the OpenCASCADE 3D modeling kernel

nixos-unstable 7.8.1.1
- nixpkgs-unstable 7.8.1.1
- nixos-unstable-small 7.8.1.1

pkgs.python313Packages.pythonocc-core

Python wrapper for the OpenCASCADE 3D modeling kernel

nixos-unstable 7.8.1.1
- nixpkgs-unstable 7.8.1.1
- nixos-unstable-small 7.8.1.1

pkgs.plasma5Packages.phonon-backend-vlc

GStreamer backend for Phonon

nixos-unstable 0.11.3
- nixpkgs-unstable 0.11.3
- nixos-unstable-small 0.11.3

pkgs.libsForQt5.phonon-backend-gstreamer

GStreamer backend for Phonon

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0

pkgs.plasma5Packages.phonon-backend-gstreamer

GStreamer backend for Phonon

nixos-unstable 4.10.0
- nixpkgs-unstable 4.10.0
- nixos-unstable-small 4.10.0

Package maintainers

@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
@bkchr Bastian Köcher <nixos@kchr.de>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@nyanloutre Paul Trehiou <paul@nyanlout.re>
@FRidh Frederik Rietdijk <fridh@fridh.nl>
@SCOTT-HAMILTON Scott Hamilton <sgn.hamilton@protonmail.com>
@NickCao Nick Cao <nickcao@nichi.co>
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@K900 Ilya K. <me@0upti.me>
@mjm Matt Moriarity <matt@mattmoriarity.com>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@CHN-beta Haonan Chen <chn@chn.moe>
@PsyanticY Psyanticy <iuns@outlook.fr>

Untriaged

Permalink CVE-2026-24473

created 3 months, 3 weeks ago Activity log

Created suggestion 3 months, 3 weeks ago

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.