Cyber Resilience

CVE-2026-30827

HighPublic PoCDDoS

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30827 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Express-Rate-Limit Project Express-Rate-Limit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30827 is a vulnerability in express-rate-limit, a rate-limiting middleware for Express applications. It affects versions starting from 8.0.0 up to but not including 8.0.2, 8.1.1, 8.2.2, and 8.3.0. The default keyGenerator function applies IPv6 subnet masking (/56 by default) to all addresses where net.isIPv6() returns true, including IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) that Node.js provides as request.ip on dual-stack servers. This results in the first 80 bits being zeroed, producing the same network key (::/56) for every IPv4 client and collapsing all IPv4 traffic into a single rate-limit bucket.

A remote attacker without authentication can exploit this by sending requests from a single IPv4 address to exhaust the configured rate limit, triggering HTTP 429 responses for all subsequent IPv4 clients. This effectively enables a denial-of-service attack with high availability impact (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), as one malicious client disrupts service for legitimate IPv4 users sharing the bucket. IPv6-native clients remain unaffected due to proper subnet handling.

The vulnerability has been patched in express-rate-limit versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, as detailed in the GitHub security advisory (GHSA-46wh-pxpv-q5gq) and the fixing commit (14e53888cdfd1b9798faf5b634c4206409e27fc4). Security practitioners should upgrade affected Express applications to these versions to mitigate the issue.

EU & UK References

Vulnerability details

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns…

more

true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The rate-limiter logic flaw directly enables remote exploitation of a public web application to exhaust shared IPv4 rate-limit buckets, producing an application-layer denial of service (availability impact) without requiring authentication or high-volume traffic.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

express-rate-limit project
express-rate-limit
8.1.0 · 8.0.0 — 8.0.2 · 8.2.0 — 8.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the flaw in express-rate-limit by upgrading to patched versions that correctly handle IPv4-mapped IPv6 addresses in the keyGenerator.

prevent

Mandates implementation of denial-of-service protections like effective rate limiting at entry points to prevent a single IPv4 client from exhausting the limit for all others.

prevent

Ensures secure configuration settings for rate-limiting middleware, such as custom keyGenerators that properly distinguish IPv4 clients and avoid bucket collapse.

References