{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.2"
              }
            ]
          },
          "events": [
            {
              "introduced": "c299d5c89f9a75e52bfc28b81c22df0f059520e8"
            },
            {
              "fixed": "54a685fbc4e8f88839349677e54e52380ad374c8"
            }
          ],
          "repo": "https://github.com/express-rate-limit/express-rate-limit",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "8.1.0"
              },
              {
                "fixed": "8.1.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "60619359e1a479cceaf5893c0eb4ec68a99d5347"
            },
            {
              "fixed": "1c572187e1e70672ec75761d561be8df3d304931"
            }
          ],
          "repo": "https://github.com/express-rate-limit/express-rate-limit",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "8.2.0"
              },
              {
                "fixed": "8.2.2"
              }
            ]
          },
          "events": [
            {
              "introduced": "37347330ecb5e0f6e34a278fa77502b3572f57f7"
            },
            {
              "fixed": "a009ad6488448515b219eb9f4203c725eb328c8e"
            }
          ],
          "repo": "https://github.com/express-rate-limit/express-rate-limit",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-46wh-pxpv-q5gq"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json"
  },
  "details": "express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.",
  "id": "CVE-2026-30827",
  "modified": "2026-04-01T23:10:40.173556424Z",
  "published": "2026-03-07T05:19:08.206Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30827"
    },
    {
      "type": "FIX",
      "url": "https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)"
}