CVE-2026-29086 – This vulnerability in Hono framework allows coo... (How to Fix)

📋 TL;DR

This vulnerability in Hono framework allows cookie attribute injection when untrusted input is passed to setCookie() domain or path parameters. Attackers could inject additional cookie attributes like HttpOnly or Secure flags, potentially bypassing security controls. All Hono applications using setCookie() with user-controlled input are affected.

💻 Affected Systems

Products:

Hono

Versions: All versions prior to 4.12.4

Operating Systems: All platforms running Node.js or other JavaScript runtimes

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using setCookie() utility with user-controlled domain or path parameters. Applications that validate input or use hardcoded values are not vulnerable.

📦 What is this software?

Hono by Hono

View all CVEs affecting Hono →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious cookie attributes to bypass security controls like HttpOnly or SameSite, potentially enabling session hijacking or cross-site request forgery attacks.

🟠

Likely Case

Limited impact requiring specific conditions - attacker needs control over domain/path parameters and application must use these values without validation. Most likely results in cookie manipulation rather than full compromise.

🟢

If Mitigated

If applications validate user input before passing to setCookie(), impact is minimal to none as the vulnerability requires untrusted input.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to control domain or path parameters passed to setCookie(). This typically requires some level of application logic flaw or improper input handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.12.4

Vendor Advisory: https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w

Restart Required: Yes

Instructions:

1. Update Hono package to version 4.12.4 or later using npm: npm update hono@^4.12.4
2. Restart your application
3. Verify the update with npm list hono

🔧 Temporary Workarounds

Input Validation Workaround

all

Validate and sanitize all user input before passing to setCookie() domain and path parameters

// JavaScript example: Validate domain/path parameters
function sanitizeCookieParam(input) {
  return input.replace(/[;\r\n]/g, '');
}
// Use: setCookie(name, value, { domain: sanitizeCookieParam(userInput) })

🧯 If You Can't Patch

Implement strict input validation for all parameters passed to setCookie() utility
Avoid passing user-controlled data to domain and path parameters of setCookie()

🔍 How to Verify

Check if Vulnerable:

Check package.json for Hono version <4.12.4 and review code for setCookie() calls with user-controlled domain/path parameters

Check Version:

npm list hono | grep hono

Verify Fix Applied:

Verify Hono version is 4.12.4 or higher and test setCookie() with malicious input containing ;, \r, or \n characters

📡 Detection & Monitoring

Log Indicators:

Unusual cookie headers with multiple attributes from single setCookie() call
Cookie values containing control characters in domain/path fields

Network Indicators:

Set-Cookie headers with unexpected additional attributes
Multiple cookie attributes from what should be single parameter

SIEM Query:

web.logs | where cookie_header contains "; " and cookie_header matches ".*[\r\n;].*"

📊 Metadata

CVE ID: CVE-2026-29086

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-1113

Published: March 4, 2026

Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON