CVE-2026-30827

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30827
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30827.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30827
Aliases
Downstream
Related
Published
2026-03-07T05:19:08.206Z
Modified
2026-04-10T05:42:34.695204Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
Details

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json"
}
References

Affected packages

Git / github.com/express-rate-limit/express-rate-limit

Affected ranges

Type
GIT
Repo
https://github.com/express-rate-limit/express-rate-limit
Events
Introduced
c299d5c89f9a75e52bfc28b81c22df0f059520e8
Fixed
54a685fbc4e8f88839349677e54e52380ad374c8
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/express-rate-limit/express-rate-limit
Events
Introduced
60619359e1a479cceaf5893c0eb4ec68a99d5347
Fixed
1c572187e1e70672ec75761d561be8df3d304931
Database specific 
{
    "versions": [
        {
            "introduced": "8.1.0"
        },
        {
            "fixed": "8.1.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/express-rate-limit/express-rate-limit
Events
Introduced
37347330ecb5e0f6e34a278fa77502b3572f57f7
Fixed
a009ad6488448515b219eb9f4203c725eb328c8e
Database specific 
{
    "versions": [
        {
            "introduced": "8.2.0"
        },
        {
            "fixed": "8.2.2"
        }
    ]
}

Affected versions

v8.*
v8.0.0
v8.0.1
v8.1.0
v8.2.0
v8.2.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30827.json"