CVE-2026-29085

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4

Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists where the event, id, and retry fields within the streamSSE() function in the Streaming Helper were not properly validated for carriage return (r) or newline ( ) characters. The Server-Sent Events (SSE) protocol utilizes line breaks to delineate fields. Consequently, if untrusted input containing these characters was supplied to these fields, it could enable the injection of additional SSE fields within the same event frame. The issue stems from the SSE helper constructing event frames by joining lines with , and previously allowing raw values without rejecting CR/LF characters in the event, id, and retry fields. This could lead to the injection of additional fields like data:, id:, or retry:. Applications that render e.data unsafely, such as using innerHTML, could be vulnerable to client-side script injection.

Recommendations Versions prior to 4.12.4 should be updated to version 4.12.4 or later.