CVE-2026-30827
Published: 07 March 2026
Summary
CVE-2026-30827 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Express-Rate-Limit Project Express-Rate-Limit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-30827 is a vulnerability in express-rate-limit, a rate-limiting middleware for Express applications. It affects versions starting from 8.0.0 up to but not including 8.0.2, 8.1.1, 8.2.2, and 8.3.0. The default keyGenerator function applies IPv6 subnet masking (/56 by default) to all addresses where net.isIPv6() returns true, including IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) that Node.js provides as request.ip on dual-stack servers. This results in the first 80 bits being zeroed, producing the same network key (::/56) for every IPv4 client and collapsing all IPv4 traffic into a single rate-limit bucket.
A remote attacker without authentication can exploit this by sending requests from a single IPv4 address to exhaust the configured rate limit, triggering HTTP 429 responses for all subsequent IPv4 clients. This effectively enables a denial-of-service attack with high availability impact (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), as one malicious client disrupts service for legitimate IPv4 users sharing the bucket. IPv6-native clients remain unaffected due to proper subnet handling.
The vulnerability has been patched in express-rate-limit versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, as detailed in the GitHub security advisory (GHSA-46wh-pxpv-q5gq) and the fixing commit (14e53888cdfd1b9798faf5b634c4206409e27fc4). Security practitioners should upgrade affected Express applications to these versions to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10113
Vulnerability details
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns…
more
true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The rate-limiter logic flaw directly enables remote exploitation of a public web application to exhaust shared IPv4 rate-limit buckets, producing an application-layer denial of service (availability impact) without requiring authentication or high-volume traffic.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the flaw in express-rate-limit by upgrading to patched versions that correctly handle IPv4-mapped IPv6 addresses in the keyGenerator.
Mandates implementation of denial-of-service protections like effective rate limiting at entry points to prevent a single IPv4 client from exhausting the limit for all others.
Ensures secure configuration settings for rate-limiting middleware, such as custom keyGenerators that properly distinguish IPv4 clients and avoid bucket collapse.