CVE-2026-30827
📋 TL;DR
A vulnerability in express-rate-limit middleware versions 8.0.0 through 8.3.0 causes all IPv4 clients to share the same rate-limit bucket when using IPv6 subnet masking. This allows a single client to exhaust rate limits and cause HTTP 429 errors for all other IPv4 clients. Any Express.js application using affected versions with default configuration is vulnerable.
💻 Affected Systems
- express-rate-limit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Denial of service for all IPv4 clients where a single malicious client can trigger rate limiting for legitimate users, potentially disrupting service availability.
Likely Case
Accidental or intentional rate limit exhaustion causing legitimate IPv4 users to receive HTTP 429 errors and be unable to access the application.
If Mitigated
Limited impact if additional rate limiting layers or DDoS protection are in place, but IPv4 users may still experience intermittent access issues.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - simply sending enough requests from any IPv4 client can trigger the issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.2, 8.1.1, 8.2.2, or 8.3.0
Vendor Advisory: https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq
Restart Required: Yes
Instructions:
1. Check current version: npm list express-rate-limit
2. Update package: npm update express-rate-limit@latest
3. Restart your Express.js application
4. Verify fix by checking version matches patched releases
🔧 Temporary Workarounds
Custom keyGenerator
allOverride the default keyGenerator to handle IPv4-mapped addresses correctly
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
keyGenerator: (req) => {
const ip = req.ip;
// Handle IPv4-mapped IPv6 addresses
if (ip.startsWith('::ffff:')) {
return ip.substring(7); // Extract IPv4 portion
}
return ip;
}
});
Disable IPv6 subnet masking
allSet subnet mask to /128 to treat each IP address individually
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
ipv6SubnetMask: 128
});
🧯 If You Can't Patch
- Implement additional rate limiting at network layer (firewall, load balancer, CDN)
- Monitor for unusual patterns of HTTP 429 responses across multiple client IPs
🔍 How to Verify
Check if Vulnerable:
Check if using affected version range and if application receives IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) from req.ipCheck Version:
npm list express-rate-limit | grep express-rate-limitVerify Fix Applied:
Test rate limiting with multiple IPv4 clients - each should have independent rate limits after fix📡 Detection & Monitoring
Log Indicators:
- Sudden increase in HTTP 429 responses across multiple client IPs
- Multiple distinct IPv4 clients receiving rate limit errors simultaneously
Network Indicators:
- Unusual request patterns from single IP affecting multiple users
- Spike in failed requests with 429 status codes
SIEM Query:
status_code:429 AND (src_ip:IPv4_range) | stats count by src_ip | where count > threshold