CVE-2026-29086
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Description
## Summary The `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\r`), or newline characters (`\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. ## Details `setCookie()` builds the `Set-Cookie` header by concatenating option values. While the cookie value itself is URL-encoded, the `domain` and `path` options were previously interpolated without rejecting unsafe characters. Including `;`, `\r`, or `\n` in these fields could result in unintended additional attributes (such as `SameSite`, `Secure`, `Domain`, or `Path`) being appended to the cookie header. Modern runtimes prevent full header injection via CRLF, so this issue is limited to attribute-level manipulation within a single `Set-Cookie` header. The issue has been fixed by rejecting these characters in the `domain` and `path` options. ## Impact An attacker may be able to manipulate cookie attributes if an application passes user-controlled input directly into the `domain` or `path` options of `setCookie()`. This could affect cookie scoping or security attributes depending on browser behavior. Exploitation requires application-level misuse of cookie options.
How to fix CVE-2026-29086
To remediate CVE-2026-29086, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.4 or later
Is CVE-2026-29086 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.4