Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Hono Cookie Injection Risk via Unvalidated Domain and Path
CVE-2026-29086
GHSA-5pq2-9x2x-5p6w
Summary
Hono's cookie handling may allow attackers to manipulate cookie settings if user input is passed directly into the domain or path fields. This could affect how cookies are scoped or secured in the browser. To protect against this, ensure that any user input is properly sanitized and validated before passing it to the setCookie() function.
What to do
- Update yusukebe hono to version 4.12.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.4 | 4.12.4 |
| hono | hono | <= 4.12.4 | – |
Original title
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Original description
## Summary
The `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\r`), or newline characters (`\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header.
Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.
## Details
`setCookie()` builds the `Set-Cookie` header by concatenating option values. While the cookie value itself is URL-encoded, the `domain` and `path` options were previously interpolated without rejecting unsafe characters.
Including `;`, `\r`, or `\n` in these fields could result in unintended additional attributes (such as `SameSite`, `Secure`, `Domain`, or `Path`) being appended to the cookie header.
Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single `Set-Cookie` header.
The issue has been fixed by rejecting these characters in the `domain` and `path` options.
## Impact
An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the `domain` or `path` options of `setCookie()`.
This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.
The `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\r`), or newline characters (`\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header.
Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.
## Details
`setCookie()` builds the `Set-Cookie` header by concatenating option values. While the cookie value itself is URL-encoded, the `domain` and `path` options were previously interpolated without rejecting unsafe characters.
Including `;`, `\r`, or `\n` in these fields could result in unintended additional attributes (such as `SameSite`, `Secure`, `Domain`, or `Path`) being appended to the cookie header.
Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single `Set-Cookie` header.
The issue has been fixed by rejecting these characters in the `domain` and `path` options.
## Impact
An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the `domain` or `path` options of `setCookie()`.
This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.
nvd CVSS3.1
5.4
Vulnerability type
CWE-1113
CWE-113
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026