CVE-2026-39410
Received Received - Intake
Cookie Prefix Bypass in Hono Framework Enables Cookie Overwrite

Publication date: 2026-04-08

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39410
EUVD
EUVD-2026-20499
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39410 is a vulnerability in the hono JavaScript web application framework related to how it parses cookie names. Browsers treat cookie names with certain whitespace characters, like non-breaking spaces, as distinct cookies. However, hono's parse() function previously used a generic trim() method that removed a wider range of whitespace characters, including non-breaking spaces. This caused different cookie names that browsers see as distinct to be normalized to the same key internally in hono.

As a result, attacker-controlled cookies with names prefixed by non-breaking spaces could override or shadow legitimate cookies when accessed via hono's getCookie() function, bypassing cookie prefix protections such as __Secure- and __Host-. This discrepancy could lead to security issues like session fixation or session hijacking depending on how the application uses cookies.

The issue was fixed in hono version 4.12.12 by refining the cookie parsing logic to only trim space and horizontal tab characters, properly handling non-breaking spaces, and validating cookie names more strictly.

Impact Analysis

This vulnerability can allow attackers to bypass cookie prefix protections and override legitimate cookies by exploiting differences in how browsers and hono parse cookie names. Specifically, attacker-controlled cookies with non-breaking space prefixes can shadow secure cookies.

  • Bypassing cookie prefix protections such as __Secure- and __Host-.
  • Overriding cookies that rely on the Secure attribute.
  • Potentially enabling session fixation or session hijacking attacks.

These impacts affect applications that rely on hono's getCookie() function for security-sensitive cookie handling, potentially compromising user sessions and data integrity.

Detection Guidance

This vulnerability can be detected by inspecting cookies in HTTP requests to identify if any cookie names contain non-breaking space (U+00A0) characters or other unusual whitespace characters that browsers treat distinctly but the vulnerable hono parse() function would normalize. Such cookies could be used to override legitimate cookies.

You can capture HTTP traffic and examine cookie headers for suspicious cookie names prefixed with non-breaking spaces or other whitespace characters.

Example commands to detect such cookies include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for Cookie headers:
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Cookie:'
  • Using tshark to extract cookie headers:
  • tshark -Y 'http.cookie' -T fields -e http.cookie
  • Then manually or with scripts check for cookie names starting with or containing non-breaking space characters (U+00A0).

Alternatively, review application logs or debug output for cookie parsing anomalies or unexpected cookie overrides.

Mitigation Strategies

The primary mitigation is to upgrade the hono package to version 4.12.12 or later, where the vulnerability has been fixed by refining cookie parsing to correctly handle whitespace characters according to RFC 6265bis.

If upgrading immediately is not possible, consider implementing additional validation on cookie names in your application to reject or sanitize cookies with unusual whitespace characters such as non-breaking spaces.

Also, monitor and audit cookies used by your application to detect suspicious cookie names that could be used to override legitimate cookies.

Review your application's reliance on getCookie() for security-sensitive operations and consider additional safeguards such as explicit cookie name validation or alternative cookie handling mechanisms.

Compliance Impact

The vulnerability in hono's cookie parsing allows attacker-controlled cookies to override legitimate ones, potentially enabling session fixation or session hijacking attacks. Such security weaknesses can lead to unauthorized access or data breaches.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable session hijacking or unauthorized access can impact compliance by risking the confidentiality and integrity of personal or sensitive data.

Therefore, applications using vulnerable versions of hono may face increased risk of non-compliance with regulations that require protection of user data and secure session management.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart