express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-770"
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:express-rate-limit_project:express-rate-limit:*:*:*:*:*:*:*:*",
"cpe:2.3:a:express-rate-limit_project:express-rate-limit:8.1.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
},
{
"introduced": "8.2.0"
},
{
"fixed": "8.2.2"
},
{
"introduced": "8.1.0"
},
{
"last_affected": "8.1.0"
}
]
}