CVE-2026-29085
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Description
## Summary When using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\r`) or newline (`\n`) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. ## Details The SSE helper builds event frames by joining lines with `\n`. While multi-line `data:` fields are handled according to the SSE specification, the `event`, `id`, and `retry` fields previously allowed raw values without rejecting embedded CR/LF characters. Including CR/LF in these control fields could allow unintended additional fields (such as `data:`, `id:`, or `retry:`) to be injected into the event stream. The issue has been fixed by rejecting CR/LF characters in these fields. ## Impact An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into `event`, `id`, or `retry`. Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render `e.data` in an unsafe manner (for example, using `innerHTML`) could potentially expose themselves to client-side script injection. This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.
How to fix CVE-2026-29085
To remediate CVE-2026-29085, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.4 or later
Is CVE-2026-29085 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.4