Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Hono SSE Helper Allows Malicious Data Injection
CVE-2026-29085
GHSA-p6xx-57qc-3wxr
Summary
An attacker could manipulate the structure of Hono's SSE event frames by injecting malicious data through the 'event', 'id', or 'retry' fields, potentially leading to security issues such as cross-site scripting. This issue affects applications that use Hono's SSE helper. To mitigate, update to the latest version of the SSE helper, which now rejects malicious input in these fields.
What to do
- Update yusukebe hono to version 4.12.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.4 | 4.12.4 |
| hono | hono | <= 4.12.4 | – |
Original title
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Original description
## Summary
When using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\r`) or newline (`\n`) characters.
Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.
## Details
The SSE helper builds event frames by joining lines with `\n`. While multi-line `data:` fields are handled according to the SSE specification, the `event`, `id`, and `retry` fields previously allowed raw values without rejecting embedded CR/LF characters.
Including CR/LF in these control fields could allow unintended additional fields (such as `data:`, `id:`, or `retry:`) to be injected into the event stream.
The issue has been fixed by rejecting CR/LF characters in these fields.
## Impact
An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into `event`, `id`, or `retry`.
Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render `e.data` in an unsafe manner (for example, using `innerHTML`) could potentially expose themselves to client-side script injection.
This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.
When using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\r`) or newline (`\n`) characters.
Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.
## Details
The SSE helper builds event frames by joining lines with `\n`. While multi-line `data:` fields are handled according to the SSE specification, the `event`, `id`, and `retry` fields previously allowed raw values without rejecting embedded CR/LF characters.
Including CR/LF in these control fields could allow unintended additional fields (such as `data:`, `id:`, or `retry:`) to be injected into the event stream.
The issue has been fixed by rejecting CR/LF characters in these fields.
## Impact
An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into `event`, `id`, or `retry`.
Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render `e.data` in an unsafe manner (for example, using `innerHTML`) could potentially expose themselves to client-side script injection.
This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.
nvd CVSS3.1
6.5
Vulnerability type
CWE-74
Injection
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026