CVE-2026-39410

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.12

Description A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. Browsers preserve characters like the non-breaking space (U+00A0) in cookie names, while the parse() function previously used JavaScript's trim(), which removes a broader set of characters including U+00A0. This mismatch allows attacker-controlled cookies with a U+00A0 prefix to shadow or override legitimate cookies when accessed via getCookie(). An attacker who can set cookies can bypass cookie prefix protections and override sensitive cookies, potentially leading to bypassing Secure- and Host- prefix protections, overriding cookies that rely on the Secure attribute, or session fixation/hijacking.

Recommendations Update to Hono version 4.12.12 or later.