CVE-2026-29086 - Vulnerability Details

- Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.

Published: 2026-03-04

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The setCookie() utility in Hono did not escape semicolons, carriage returns, or newline characters present in the domain and path options. Because cookie attributes are separated by semicolons, an attacker can inject additional cookie attributes by supplying carefully crafted values in these fields, potentially allowing manipulation of cookie behavior such as setting custom flags, altering cookie names, or other unintended client-side state changes.

Affected Systems

All versions of the Hono web application framework released by honojs prior to 4.12.4 are affected. The vulnerability is present in Node.js runtimes that use these older Hono releases.

Risk and Exploitability

The CVSS score of 5.4 places this issue in the moderate risk range, yet the EPSS of less than 1% suggests low current exploitation likelihood. It is not listed in the CISA KEV catalog. An attacker would typically need to supply a crafted domain or path value—often via a user-supplied request header or API parameter—to trigger the injection during a server's response construction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

honojs

hono

affected

Version	Status	Constraints
`< 4.12.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Hono

90%

Version	Status	Scheme	Platform
`[0,4.12.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Hono to version 4.12.4 or later, which implements validation of domain and path inputs.
If immediate upgrade is not feasible, sanitize or whitelist domain and path arguments before calling setCookie() to ensure they contain only acceptable characters.
Audit server-side code to confirm that no unsanitized values reach setCookie(); remove unnecessary domain or path options when they are not needed.

Generated by OpenCVE AI on April 16, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5pq2-9x2x-5p6w	Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073
https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w

History

Fri, 06 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:hono:hono::::::node.js::*

Thu, 05 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hono Hono hono
Vendors & Products		Hono Hono hono

Wed, 04 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
Title		Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Weaknesses		CWE-1113
References		https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073 https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Hono Hono

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-04T22:09:01.488Z

Updated: 2026-03-05T15:42:10.524Z

Reserved: 2026-03-03T20:51:43.484Z

Link: CVE-2026-29086

Vulnrichment

Updated: 2026-03-05T15:29:15.872Z

NVD

Status : Analyzed

Published: 2026-03-04T23:16:10.593

Modified: 2026-03-06T18:00:25.880

Link: CVE-2026-29086

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object