Skip to content

fix(security): patch express-rate-limit IPv4-mapped IPv6 bypass#35

Open
lupita-hom wants to merge 1 commit intomainfrom
security/auto-fix-2026-03-09
Open

fix(security): patch express-rate-limit IPv4-mapped IPv6 bypass#35
lupita-hom wants to merge 1 commit intomainfrom
security/auto-fix-2026-03-09

Conversation

@lupita-hom
Copy link
Collaborator

@lupita-hom lupita-hom commented Mar 9, 2026

Security Fix — Automated Scan (2026-03-09)

Vulnerability Patched

  • Package: express-rate-limit 8.2.0–8.2.1
  • Severity: High
  • Advisory: GHSA-46wh-pxpv-q5gq
  • Issue: IPv4-mapped IPv6 addresses could bypass per-client rate limiting on servers with dual-stack networking
  • Fix: npm audit fix updated to patched version

Code Review Summary

Full review of server security surface — no new issues found:

  • ✅ CORS: restricted to explicit allowlist, fails closed in production
  • ✅ Rate limiting: global + stricter sync limiter, webhook exclusion is intentional
  • ✅ Auth: admin token uses constant-time comparison (SHA-256 + timingSafeEqual), fails closed when unconfigured
  • ✅ Webhook verification: HMAC-SHA256 with timingSafeEqual
  • ✅ Input validation: regex chars escaped (ReDoS prevention), status values allowlisted
  • ✅ Helmet headers enabled
  • ✅ MongoDB not exposed to host network
  • ✅ Error messages restricted in production
  • ✅ Body parsing limits enforced (10mb global, 100mb restore after auth)

Automated security scan by lupita-hom

@lupita-hom
fix(security): update express-rate-limit to patch IPv4-mapped IPv6 by…
456f307 
…pass (GHSA-46wh-pxpv-q5gq)

npm audit fix: express-rate-limit 8.2.0-8.2.1 allowed IPv4-mapped IPv6
addresses to bypass per-client rate limiting on dual-stack servers.
Updated to patched version.
@github-actions
Copy link

github-actions bot commented Mar 9, 2026

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/express-rate-limit 8.3.0 UnknownUnknown
npm/ip-address 10.1.0 ⚠️ 2.5
Details
CheckScoreReason
Code-Review⚠️ 1Found 4/28 approved changesets -- score normalized to 1
Token-Permissions⚠️ -1No tokens found
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow⚠️ -1no workflows found
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 01 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • server/package-lock.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@homeles homeles homeles approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lupita-hom @homeles