Tarpeg007

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.4 **Description** Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists where the `event`, `id`, and `retry` fields within the `streamSSE()` function in the Streaming Helper were not properly validated for carriage return (r) or newline ( ) characters. The Server-Sent Events (SSE) protocol utilizes line breaks to delineate fields. Consequently, if untrusted input containing these characters was supplied to these fields, it could enable the injection of additional SSE fields within the same event frame. The issue stems from the SSE helper constructing event frames by joining lines with , and previously allowing raw values without rejecting CR/LF characters in the `event`, `id`, and `retry` fields. This could lead to the injection of additional fields like `data:`, `id:`, or `retry:`. Applications that render `e.data` unsafely, such as using `innerHTML`, could be vulnerable to client-side script injection. **Recommendations** Versions prior to 4.12.4 should be updated to version 4.12.4 or later.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.12.4 **Description** The `setCookie()` utility did not properly validate semicolons (;), carriage returns (r), or newline characters ( ) in the `domain` and `path` options when creating the `Set-Cookie` header. Because cookie attributes are separated by semicolons, this could allow an attacker to inject additional cookie attributes if untrusted input is used in these fields. The issue stems from the interpolation of the `domain` and `path` options without rejecting unsafe characters. Including characters like `;`, `r`, or ` ` could lead to unintended cookie attributes being added to the header, potentially affecting cookie scoping or security. Exploitation requires misuse of cookie options at the application level. **Recommendations** Update to version 4.12.4 or later.