Skip to main content

CVE-2026-39410

| EUVDEUVD-2026-20499 MEDIUM
Improper Input Validation (CWE-20)
2026-04-08 https://github.com/honojs/hono GHSA-r5rp-j6wh-rvv4
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 00:30 euvd
EUVD-2026-20499
Analysis Generated
Apr 08, 2026 - 00:30 vuln.today
Patch released
Apr 08, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:17 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 64 npm packages depend on hono (48 direct, 16 indirect)

Ecosystem-wide dependent count for version 4.12.12.

DescriptionGitHub Advisory

Summary

A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed.

Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones.

Details

Browsers follow RFC 6265bis and only trim SP (0x20) and HTAB (0x09) from cookie names. Other characters, such as the non-breaking space (U+00A0), are preserved as part of the cookie name.

For example, the browser treats the following cookies as distinct:

"dummy-cookie"
"\u00a0dummy-cookie"

However, parse() previously used JavaScript's trim(), which removes a broader set of characters including U+00A0. As a result, both names are normalized to:

"dummy-cookie"

This mismatch allows attacker-controlled cookies with a U+00A0 prefix to shadow or override legitimate cookies when accessed via getCookie().

Impact

An attacker who can set cookies (e.g., via a man-in-the-middle on a non-secure page or other injection vector) can bypass cookie prefix protections and override sensitive cookies.

This may lead to:

  • Bypassing __Secure- and __Host- prefix protections
  • Overriding cookies that rely on the Secure attribute
  • Session fixation or session hijacking depending on application usage

This issue affects applications that rely on getCookie() for security-sensitive cookie handling.

AnalysisAI

Cookie prefix protections can be bypassed in Hono's parse() function due to overly aggressive character trimming that diverges from RFC 6265bis browser behavior. An attacker who can set cookies (via MITM, injection, or other means) can use non-breaking space (U+00A0) prefixed cookie names to shadow legitimate cookies, potentially overriding security-sensitive cookies including those protected by __Secure- and __Host- prefixes. Patch available in Hono v4.12.12.

Technical ContextAI

Hono is a lightweight web framework for JavaScript runtimes that provides cookie handling utilities. The vulnerability exists in the parse() function, which is responsible for parsing HTTP cookie headers and normalizing cookie names for retrieval via getCookie(). RFC 6265bis (the modern cookie specification) requires browsers to trim only space (0x20) and horizontal tab (0x09) characters from cookie names, treating other Unicode whitespace characters like non-breaking space (U+00A0) as part of the legitimate cookie name. Hono's implementation previously used JavaScript's native trim() method, which removes a broader Unicode whitespace category including U+00A0. This mismatch creates a normalization gap: a cookie named "\u00a0dummy-cookie" is preserved by the browser but normalized to "dummy-cookie" by parse(), allowing an attacker-controlled cookie to collide with and shadow the legitimate "dummy-cookie" entry. The root cause is improper input validation and normalization (CWE-20), where the parser fails to strictly adhere to the RFC specification.

RemediationAI

Upgrade Hono to version 4.12.12 or later, which implements RFC 6265bis-compliant cookie name trimming that only removes space (0x20) and horizontal tab (0x09) characters. The patched version is available at https://github.com/honojs/hono/releases/tag/v4.12.12. Update package.json or lock file to specify hono@^4.12.12 (or @latest if using pinned dependencies), then run npm install (or equivalent for yarn/pnpm). For applications that cannot immediately upgrade, review cookie-dependent security logic (e.g., CSRF token validation, session management) and consider server-side validation to ensure cookie integrity is not compromised by client-side injection. No workarounds are available short of patching, as the issue is in the core parse() function. See GitHub advisory GHSA-r5rp-j6wh-rvv4 at https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4 for additional context.

Share

CVE-2026-39410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy