{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-08T14:44:40.797Z", "dateUpdated": "2026-04-08T15:17:14.892Z"}, "containers": {"cna": {"title": "Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4"}, {"name": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"}, {"name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": "< 4.12.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:44:40.797Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "source": {"advisory": "GHSA-r5rp-j6wh-rvv4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:17:07.686689Z", "id": "CVE-2026-39410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:14.892Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:17:07.686689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:17:10.331Z"}}], "cna": {"title": "Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()", "source": {"advisory": "GHSA-r5rp-j6wh-rvv4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": "< 4.12.12"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "name": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "name": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:44:40.797Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39410", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:17:14.892Z", "dateReserved": "2026-04-07T00:23:30.595Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:44:40.797Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "id": "CVE-2026-39410", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T15:16:15.143", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"}, {"source": "security-advisories@github.com", "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}, {"source": "security-advisories@github.com", "url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T17:50:42.070678+00:00", "value": {"mitigation_remediation": ["Upgrade to Hono version 4.12.12 or newer, which fixes the cookie name handling bug."], "summary": {"action": "Apply Patch", "impact": "Cookie Override"}, "threat_synthesis": {"affected_systems": "The Hono framework (honojs:hono) is affected in all versions earlier than 4.12.12. Any application that incorporates that version is vulnerable.", "description_and_impact": "A bug in Hono's cookie parsing allows cookies whose names begin with a non\u2011breaking space to be normalized to match a legitimate cookie key. The framework therefore treats the attacker\u2011controlled cookie as equivalent to a valid cookie, enabling the attacker to substitute the value of a legitimate cookie.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity risk. EPSS data is not supplied and the vulnerability is not listed in the CISA KEV catalog. The likely attack scenario, inferred from the description, requires the attacker to send an HTTP request that contains a cookie with a leading non\u2011breaking space character. This could be achieved by a malicious web page that sets such a cookie or by modifying traffic on the network. The attacker can then overwrite the value of a legitimate cookie, potentially impacting the application state."}}}}, "created": "2026-04-08T19:39:11.352457+00:00", "updated": "2026-04-08T19:39:11.352486+00:00", "vendors": []}