CVE-2026-39410
Cookie Prefix Bypass in Hono Framework Enables Cookie Overwrite
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hono | hono | to 4.12.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39410 is a vulnerability in the hono JavaScript web application framework related to how it parses cookie names. Browsers treat cookie names with certain whitespace characters, like non-breaking spaces, as distinct cookies. However, hono's parse() function previously used a generic trim() method that removed a wider range of whitespace characters, including non-breaking spaces. This caused different cookie names that browsers see as distinct to be normalized to the same key internally in hono.
As a result, attacker-controlled cookies with names prefixed by non-breaking spaces could override or shadow legitimate cookies when accessed via hono's getCookie() function, bypassing cookie prefix protections such as __Secure- and __Host-. This discrepancy could lead to security issues like session fixation or session hijacking depending on how the application uses cookies.
The issue was fixed in hono version 4.12.12 by refining the cookie parsing logic to only trim space and horizontal tab characters, properly handling non-breaking spaces, and validating cookie names more strictly.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass cookie prefix protections and override legitimate cookies by exploiting differences in how browsers and hono parse cookie names. Specifically, attacker-controlled cookies with non-breaking space prefixes can shadow secure cookies.
- Bypassing cookie prefix protections such as __Secure- and __Host-.
- Overriding cookies that rely on the Secure attribute.
- Potentially enabling session fixation or session hijacking attacks.
These impacts affect applications that rely on hono's getCookie() function for security-sensitive cookie handling, potentially compromising user sessions and data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting cookies in HTTP requests to identify if any cookie names contain non-breaking space (U+00A0) characters or other unusual whitespace characters that browsers treat distinctly but the vulnerable hono parse() function would normalize. Such cookies could be used to override legitimate cookies.
You can capture HTTP traffic and examine cookie headers for suspicious cookie names prefixed with non-breaking spaces or other whitespace characters.
Example commands to detect such cookies include:
- Using tcpdump or tshark to capture HTTP traffic and filter for Cookie headers:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Cookie:'
- Using tshark to extract cookie headers:
- tshark -Y 'http.cookie' -T fields -e http.cookie
- Then manually or with scripts check for cookie names starting with or containing non-breaking space characters (U+00A0).
Alternatively, review application logs or debug output for cookie parsing anomalies or unexpected cookie overrides.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the hono package to version 4.12.12 or later, where the vulnerability has been fixed by refining cookie parsing to correctly handle whitespace characters according to RFC 6265bis.
If upgrading immediately is not possible, consider implementing additional validation on cookie names in your application to reject or sanitize cookies with unusual whitespace characters such as non-breaking spaces.
Also, monitor and audit cookies used by your application to detect suspicious cookie names that could be used to override legitimate cookies.
Review your application's reliance on getCookie() for security-sensitive operations and consider additional safeguards such as explicit cookie name validation or alternative cookie handling mechanisms.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in hono's cookie parsing allows attacker-controlled cookies to override legitimate ones, potentially enabling session fixation or session hijacking attacks. Such security weaknesses can lead to unauthorized access or data breaches.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable session hijacking or unauthorized access can impact compliance by risking the confidentiality and integrity of personal or sensitive data.
Therefore, applications using vulnerable versions of hono may face increased risk of non-compliance with regulations that require protection of user data and secure session management.