express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the de…

CVE-2026-30827 affects express-rate-limit middleware versions 8.0.0 through 8.2.x. The vulnerability occurs when the default keyGenerator applies IPv6 subnet masking to IPv4-mapped IPv6 addresses on dual-stack servers. This causes all IPv4 traffic to collapse into a single rate-limit bucket with the same network key (::/56). When one IPv4 client exhausts the rate limit, all other IPv4 clients receive HTTP 429 errors, creating a denial of service condition. The issue affects Node.js applications using Express with the vulnerable middleware versions. Patches are available in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.