CVE-2026-29086 Overview
CVE-2026-29086 is an Input Validation Error vulnerability affecting Hono, a popular Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.
Critical Impact
Attackers can inject arbitrary cookie attributes through unsanitized domain and path parameters, potentially leading to session manipulation, cross-site scripting via cookie injection, or bypassing security controls like the Secure and HttpOnly flags.
Affected Products
- Hono Web Framework versions prior to 4.12.4
- Applications using setCookie() with user-controlled domain or path parameters
- JavaScript runtime environments running vulnerable Hono versions (Node.js, Deno, Bun, Cloudflare Workers, etc.)
Discovery Timeline
- 2026-03-04 - CVE CVE-2026-29086 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-29086
Vulnerability Analysis
This vulnerability exists in Hono's cookie handling utility, specifically within the setCookie() function. The function constructs Set-Cookie HTTP response headers by concatenating user-supplied values for cookie attributes including domain and path. The core issue is that the function failed to sanitize special delimiter characters before incorporating them into the header value.
The Set-Cookie header format uses semicolons to separate cookie attributes (e.g., name=value; Path=/; Domain=example.com; Secure). When an attacker can inject a semicolon into the domain or path parameter, they can terminate the current attribute and inject additional ones. Similarly, carriage return (\r) and newline (\n) characters can be used for HTTP response splitting attacks in certain configurations.
Root Cause
The root cause is improper input validation (CWE-1113) in the setCookie() utility function. The function trusted that domain and path parameters would contain only valid characters, without performing validation or sanitization of delimiter characters. This created an injection vector when applications passed user-controllable data into these parameters.
Attack Vector
The attack requires a network-accessible application using Hono that passes user input to the setCookie() function's domain or path options. An attacker can craft malicious input containing semicolons followed by additional cookie attributes.
For example, if an application allows users to specify a subdomain preference that gets passed to the domain parameter, an attacker could supply a value like example.com; Secure; HttpOnly=false; Path=/admin to inject additional cookie attributes. This could potentially:
- Override security flags like Secure or HttpOnly
- Expand the cookie's scope to unintended paths
- Set arbitrary expiration dates
- In combination with other vulnerabilities, facilitate session fixation attacks
The vulnerability requires user interaction as the victim must trigger the cookie-setting action. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-29086
Indicators of Compromise
- Unusual or malformed Set-Cookie headers in HTTP responses containing multiple semicolons in domain or path values
- Web application logs showing requests with semicolons, %3B, \r, \n, %0D, or %0A in parameters that influence cookie settings
- Error logs indicating cookie parsing failures or malformed header warnings
Detection Strategies
- Implement HTTP response header monitoring to detect anomalous Set-Cookie headers with unexpected attribute combinations
- Deploy web application firewall (WAF) rules to block requests containing semicolons and newline characters in cookie-related parameters
- Use static application security testing (SAST) tools to identify setCookie() calls that pass user input to domain or path parameters
- Review application dependency manifests for Hono versions prior to 4.12.4
Monitoring Recommendations
- Enable detailed HTTP response logging to capture full Set-Cookie header values for forensic analysis
- Configure alerting for HTTP responses containing multiple consecutive cookie attributes that could indicate injection attempts
- Monitor package management systems for outdated Hono dependencies across the application portfolio
How to Mitigate CVE-2026-29086
Immediate Actions Required
- Upgrade Hono to version 4.12.4 or later immediately across all affected applications
- Audit application code to identify any setCookie() calls that accept user input for domain or path parameters
- Implement input validation at the application layer to reject semicolons, carriage returns, and newlines in cookie-related parameters
- Review recent HTTP logs for evidence of exploitation attempts
Patch Information
The vulnerability has been patched in Hono version 4.12.4. The fix adds validation to reject semicolons (;), carriage returns (\r), and newline characters (\n) in the domain and path options of the setCookie() function. For technical details on the patch implementation, see the GitHub commit.
Workarounds
- If immediate upgrade is not possible, implement a middleware layer that sanitizes or rejects semicolons, \r, and \n characters from any user input before it reaches setCookie() calls
- Avoid passing user-controlled data to the domain and path parameters of setCookie() until the upgrade is complete
- Use allowlists for domain and path values rather than accepting arbitrary user input
# Upgrade Hono to patched version
npm update hono@4.12.4
# Or if using specific package managers
yarn upgrade hono@4.12.4
pnpm update hono@4.12.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
