GHSA-p6xx-57qc-3wxr

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p6xx-57qc-3wxr/GHSA-p6xx-57qc-3wxr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p6xx-57qc-3wxr
Aliases
  • CVE-2026-29085
Downstream
Related
Published
2026-03-04T19:48:41Z
Modified
2026-03-18T23:13:53.874943Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Details

Summary

When using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters.

Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.

Details

The SSE helper builds event frames by joining lines with \n. While multi-line data: fields are handled according to the SSE specification, the event, id, and retry fields previously allowed raw values without rejecting embedded CR/LF characters.

Including CR/LF in these control fields could allow unintended additional fields (such as data:, id:, or retry:) to be injected into the event stream.

The issue has been fixed by rejecting CR/LF characters in these fields.

Impact

An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into event, id, or retry.

Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render e.data in an unsafe manner (for example, using innerHTML) could potentially expose themselves to client-side script injection.

This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.

Database specific 
{
    "github_reviewed_at": "2026-03-04T19:48:41Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74"
    ],
    "nvd_published_at": "2026-03-04T23:16:10Z",
    "severity": "MODERATE"
}
References

Affected packages

npm / hono

Package

Name
hono
View open source insights on deps.dev
Purl
pkg:npm/hono

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.12.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p6xx-57qc-3wxr/GHSA-p6xx-57qc-3wxr.json"