CVE-2026-39410 - Vulnerability Details

- Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.

Published: 2026-04-08

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug in Hono's cookie parsing allows cookies whose names begin with a non‑breaking space to be normalized to match a legitimate cookie key. The framework therefore treats the attacker‑controlled cookie as equivalent to a valid cookie, enabling the attacker to substitute the value of a legitimate cookie. This issue corresponds to CWE‑20, Input Validation, but no additional weakness information is available from NVD.

Affected Systems

The Hono framework (honojs:hono) is affected in all versions earlier than 4.12.12. Any application that incorporates that version is vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity risk. The EPSS score of less than 1% suggests a low but non‑zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack scenario, inferred from the description, requires the attacker to send an HTTP request that contains a cookie with a leading non‑breaking space character. This could be achieved by a malicious web page that sets such a cookie or by modifying traffic on the network. The attacker can then overwrite the value of a legitimate cookie, potentially impacting the application state.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

honojs

hono

affected

Version	Status	Constraints
`< 4.12.12`	affected	—

Configuration 1 [-]

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Hono

90%

Version	Status	Scheme	Platform
`[0,4.12.12)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Hono version 4.12.12 or newer, which fixes the cookie name handling bug.
If immediate upgrade is not feasible, configure the application to reject or strip cookie names beginning with non‑breaking space characters before processing.
Implement network monitoring or WAF rules to detect and block anomalous cookie names, and alert administrators of suspicious HTTP requests.

Generated by OpenCVE AI on April 22, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r5rp-j6wh-rvv4	Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0
https://github.com/honojs/hono/releases/tag/v4.12.12
https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:hono:hono::::::node.js::*

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hono Hono hono
Vendors & Products		Hono Hono hono

Wed, 08 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
Title		Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()
Weaknesses		CWE-20
References		https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0 https://github.com/honojs/hono/releases/tag/v4.12.12 https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Hono Hono

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T14:44:40.797Z

Updated: 2026-04-08T15:17:14.892Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39410

Vulnrichment

Updated: 2026-04-08T15:17:10.331Z

NVD

Status : Analyzed

Published: 2026-04-08T15:16:15.143

Modified: 2026-04-21T18:26:00.277

Link: CVE-2026-39410

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object