{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-08T14:44:40.797Z", "dateUpdated": "2026-04-08T15:17:14.892Z"}, "containers": {"cna": {"title": "Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4"}, {"name": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"}, {"name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": "< 4.12.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:44:40.797Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "source": {"advisory": "GHSA-r5rp-j6wh-rvv4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:17:07.686689Z", "id": "CVE-2026-39410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:14.892Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:17:07.686689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:10.331Z"}}], "cna": {"title": "Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()", "source": {"advisory": "GHSA-r5rp-j6wh-rvv4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": "< 4.12.12"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "name": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "name": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:44:40.797Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39410", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:17:14.892Z", "dateReserved": "2026-04-07T00:23:30.595Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:44:40.797Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "295EEF12-243F-4561-B181-C19451B5285C", "versionEndIncluding": "4.12.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "id": "CVE-2026-39410", "lastModified": "2026-04-21T18:26:00.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T15:16:15.143", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.12.12)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "hono", "source": "cna", "vendor": "honojs"}, "product": "hono", "vendor": "hono"}], "analysis": {"en": {"generated_at": "2026-04-22T07:21:09.447909+00:00", "value": {"mitigation_remediation": ["Upgrade to Hono version 4.12.12 or newer, which fixes the cookie name handling bug.", "If immediate upgrade is not feasible, configure the application to reject or strip cookie names beginning with non\u2011breaking space characters before processing.", "Implement network monitoring or WAF rules to detect and block anomalous cookie names, and alert administrators of suspicious HTTP requests."], "summary": {"action": "Apply Patch", "impact": "Cookie Override"}, "threat_synthesis": {"affected_systems": "The Hono framework (honojs:hono) is affected in all versions earlier than 4.12.12. Any application that incorporates that version is vulnerable.", "description_and_impact": "A bug in Hono's cookie parsing allows cookies whose names begin with a non\u2011breaking space to be normalized to match a legitimate cookie key. The framework therefore treats the attacker\u2011controlled cookie as equivalent to a valid cookie, enabling the attacker to substitute the value of a legitimate cookie. This issue corresponds to CWE\u201120, Input Validation, but no additional weakness information is available from NVD.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity risk. The EPSS score of less than 1% suggests a low but non\u2011zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack scenario, inferred from the description, requires the attacker to send an HTTP request that contains a cookie with a leading non\u2011breaking space character. This could be achieved by a malicious web page that sets such a cookie or by modifying traffic on the network. The attacker can then overwrite the value of a legitimate cookie, potentially impacting the application state."}}}}, "created": "2026-04-08T19:39:11.352457+00:00", "updated": "2026-04-22T07:30:11.615799+00:00", "vendors": ["hono", "hono$PRODUCT$hono"]}