GHSA-5pq2-9x2x-5p6w

Source

https://github.com/advisories/GHSA-5pq2-9x2x-5p6w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pq2-9x2x-5p6w/GHSA-5pq2-9x2x-5p6w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5pq2-9x2x-5p6w

Aliases

CVE-2026-29086

Downstream

MINI-jhfm-49h6-3856

Related

CGA-r6jm-c92f-47gg

Published

2026-03-04T19:49:14Z

Modified

2026-03-18T23:14:01.277623Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Details

Summary

The setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header.

Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.

Details

setCookie() builds the Set-Cookie header by concatenating option values. While the cookie value itself is URL-encoded, the domain and path options were previously interpolated without rejecting unsafe characters.

Including ;, \r, or \n in these fields could result in unintended additional attributes (such as SameSite, Secure, Domain, or Path) being appended to the cookie header.

Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single Set-Cookie header.

The issue has been fixed by rejecting these characters in the domain and path options.

Impact

An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the domain or path options of setCookie().

This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.

Database specific

{
    "github_reviewed_at": "2026-03-04T19:49:14Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1113",
        "CWE-113"
    ],
    "nvd_published_at": "2026-03-04T23:16:10Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / hono

Package

Name: hono; View open source insights on deps.dev
Purl: pkg:npm/hono

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.12.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pq2-9x2x-5p6w/GHSA-5pq2-9x2x-5p6w.json"