Hono, Injection, CVE-2026-29085 (Medium)

Listen to this Post

Hono is a web application framework for JavaScript runtimes. Prior to version 4.12.4, the `streamSSE()` function in its Streaming Helper improperly validated user input. Specifically, the event, id, and `retry` fields were not sanitized for carriage return (\r) or newline (\n) characters. The Server-Sent Events (SSE) protocol relies on these line breaks as delimiters between different fields. Consequently, an attacker could inject arbitrary data containing these control characters into the mentioned fields. This injection could create new, unintended fields within the same SSE event frame, effectively manipulating the structure of the event stream sent to the client. The impact is that an attacker could alter the intended data flow, potentially injecting malicious data or disrupting the client-side event handling. The vulnerability is exploitable over a network without requiring authentication or user interaction. The issue is resolved in version 4.12.4 by rejecting any input containing CR/LF characters in these fields .
Platform: Hono Framework
Version: < 4.12.4
Vulnerability: SSE Field Injection
Severity: Medium (6.5)
date: March 4 2026

Prediction: Patched March 2026

What Undercode Say:

Analytics:

  • CVSS Score: 6.5 (MEDIUM)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Exploitability: Network, Low Complexity, No Privs Required
  • Weakness: CWE-74 (Injection)

Bash Commands & Codes:

Check current Hono version in a project
npm list hono
Upgrade Hono to the patched version
npm install [email protected]
Verify the upgrade
npm list hono | grep hono
Example of vulnerable code snippet (pre-4.12.4)
import { Hono } from 'hono'
import { streamSSE } from 'hono/streaming'
const app = new Hono()
app.get('/sse', async (c) => {
return streamSSE(c, async (stream) => {
const userInput = c.req.query('msg') // Untrusted input
// Vulnerable if userInput contains \r or \n
await stream.writeSSE({ data: 'Hello', event: userInput })
})
})
Example of safe code (post-patch or manual sanitization)
import { Hono } from 'hono'
import { streamSSE } from 'hono/streaming'
const app = new Hono()
app.get('/sse', async (c) => {
return streamSSE(c, async (stream) => {
let userInput = c.req.query('msg') || ''
// Manual sanitization: Remove CR and LF characters
userInput = userInput.replace(/[\r\n]/g, '')
await stream.writeSSE({ data: 'Hello', event: userInput })
})
})

How Exploit:

An attacker sends a request to the application with malicious input in a parameter that is passed to the event, id, or `retry` field of streamSSE(). The payload includes carriage return (\r) or newline (\n) characters to break out of the intended field and inject a new one. For example, a payload of `injected\r\ndata: malicious` would result in two fields being sent:

event: injected
data: malicious
data: Hello

instead of just event: injected. This could be used to spoof system events, inject malicious data, or cause unexpected client behavior .

Protection:

  • Upgrade: Immediately update Hono to version 4.12.4 or later .
  • Input Validation: If upgrading immediately is not possible, implement strict input validation to reject or sanitize any carriage return (\r) and newline (\n) characters from data passed to the event, id, and `retry` fields of the `streamSSE()` function .

Impact:

  • Integrity: Low – An attacker can inject additional fields into the SSE stream, potentially altering the intended sequence or content of messages sent to the client .
  • Confidentiality: Low – In some scenarios, injected fields could lead to information disclosure if the client-side application logic mishandles them .
  • Availability: None – The vulnerability does not directly lead to a denial of service .
  • XSS Potential: If the client-side application renders the contents of an injected `data` field unsafely (e.g., using innerHTML), it could lead to Cross-Site Scripting (XSS) .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

D-Link DIR-513, Stack Buffer Overflow, CVE-2025-70218 (Critical)

Scroll to Top