Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit de7aebb8d040 · 2026-03-04T19:49:50.000Z
GHSA-5pq2-9x2x-5p6w GHSA-p6xx-57qc-3wxr GHSA-q5qw-h33p-qvwr
diff --git a/advisories/github-reviewed/2026/03/GHSA-5pq2-9x2x-5p6w/GHSA-5pq2-9x2x-5p6w.json b/advisories/github-reviewed/2026/03/GHSA-5pq2-9x2x-5p6w/GHSA-5pq2-9x2x-5p6w.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5pq2-9x2x-5p6w",
+  "modified": "2026-03-04T19:49:14Z",
+  "published": "2026-03-04T19:49:14Z",
+  "aliases": [
+    "CVE-2026-29086"
+  ],
+  "summary": "Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()",
+  "details": "## Summary\n\nThe `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\\r`), or newline characters (`\\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header.\n\nBecause cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.\n\n## Details\n\n`setCookie()` builds the `Set-Cookie` header by concatenating option values. While the cookie value itself is URL-encoded, the `domain` and `path` options were previously interpolated without rejecting unsafe characters.\n\nIncluding `;`, `\\r`, or `\\n` in these fields could result in unintended additional attributes (such as `SameSite`, `Secure`, `Domain`, or `Path`) being appended to the cookie header.\n\nModern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single `Set-Cookie` header.\n\nThe issue has been fixed by rejecting these characters in the `domain` and `path` options.\n\n## Impact\n\nAn attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the `domain` or `path` options of `setCookie()`.\n\nThis could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "hono"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.12.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/honojs/hono"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-113"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T19:49:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-p6xx-57qc-3wxr/GHSA-p6xx-57qc-3wxr.json b/advisories/github-reviewed/2026/03/GHSA-p6xx-57qc-3wxr/GHSA-p6xx-57qc-3wxr.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p6xx-57qc-3wxr",
+  "modified": "2026-03-04T19:48:42Z",
+  "published": "2026-03-04T19:48:41Z",
+  "aliases": [
+    "CVE-2026-29085"
+  ],
+  "summary": "Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()",
+  "details": "## Summary\n\nWhen using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\\r`) or newline (`\\n`) characters.\n\nBecause the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.\n\n## Details\n\nThe SSE helper builds event frames by joining lines with `\\n`. While multi-line `data:` fields are handled according to the SSE specification, the `event`, `id`, and `retry` fields previously allowed raw values without rejecting embedded CR/LF characters.\n\nIncluding CR/LF in these control fields could allow unintended additional fields (such as `data:`, `id:`, or `retry:`) to be injected into the event stream.\n\nThe issue has been fixed by rejecting CR/LF characters in these fields.\n\n## Impact\n\nAn attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into `event`, `id`, or `retry`.\n\nDepending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render `e.data` in an unsafe manner (for example, using `innerHTML`) could potentially expose themselves to client-side script injection.\n\nThis issue affects applications that rely on the SSE helper to enforce protocol-level constraints.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "hono"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.12.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/honojs/hono"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T19:48:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-q5qw-h33p-qvwr/GHSA-q5qw-h33p-qvwr.json b/advisories/github-reviewed/2026/03/GHSA-q5qw-h33p-qvwr/GHSA-q5qw-h33p-qvwr.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q5qw-h33p-qvwr",
+  "modified": "2026-03-04T19:48:00Z",
+  "published": "2026-03-04T19:48:00Z",
+  "aliases": [
+    "CVE-2026-29045"
+  ],
+  "summary": "Hono vulnerable to arbitrary file access via serveStatic vulnerability ",
+  "details": "## Summary\n\nWhen using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.\n\nThe router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.\n\n\n## Details\n\nThe routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path.\n\nExample:\n\nRequest: `/admin%2Fsecret.html`\n\n- Router sees: `/admin%2Fsecret.html` → does not match `/admin/*`\n- Static handler resolves: `/admin/secret.html`\n\nAs a result, static files under the configured static root could be served without triggering route-based protections.\n\nThis only affects applications that both:\n\n- Protect subpaths using route-based middleware, and\n- Serve files from the same static root using `serveStatic`.\n\nThis does **not** allow access outside the static root and is **not** a path traversal vulnerability.\n\n\n## Impact\n\nAn unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.\n\nApplications relying solely on route-based middleware to protect static subpaths may have exposed those resources.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "hono"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.12.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/honojs/hono"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-177"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T19:48:00Z",
+    "nvd_published_at": null
+  }
+}
