216.73.216.170

CVE-2026-30827

· Published 07/03/2026 06:16 · Modified 07/03/2026 06:16

Labels: CVE-2026-30827 2026-03-07CVE-2026-30827CWE-770[email protected]

Essential information

Published
07/03/2026 06:16
Modified
07/03/2026 06:16
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
expressjs / express-rate-limit cpe:2.3:a:expressjs:express-rate-limit:<8.0.2:*:*:*:*:*:*:*
expressjs / express-rate-limit cpe:2.3:a:expressjs:express-rate-limit:8.0.0:*:*:*:*:*:*:*
expressjs / express-rate-limit cpe:2.3:a:expressjs:express-rate-limit:8.1.0:*:*:*:*:*:*:*
expressjs / express-rate-limit cpe:2.3:a:expressjs:express-rate-limit:8.2.0:*:*:*:*:*:*:*

References