CVE-2026-39410

描述

## Summary A discrepancy between browser cookie parsing and `parse()` handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by `parse()`, allowing attacker-controlled cookies to override legitimate ones. ## Details Browsers follow RFC 6265bis and only trim SP (`0x20`) and HTAB (`0x09`) from cookie names. Other characters, such as the non-breaking space (`U+00A0`), are preserved as part of the cookie name. For example, the browser treats the following cookies as distinct: ``` "dummy-cookie" "\u00a0dummy-cookie" ``` However, `parse()` previously used JavaScript's `trim()`, which removes a broader set of characters including `U+00A0`. As a result, both names are normalized to: ``` "dummy-cookie" ``` This mismatch allows attacker-controlled cookies with a `U+00A0` prefix to shadow or override legitimate cookies when accessed via `getCookie()`. ## Impact An attacker who can set cookies (e.g., via a man-in-the-middle on a non-secure page or other injection vector) can bypass cookie prefix protections and override sensitive cookies. This may lead to: * Bypassing `__Secure-` and `__Host-` prefix protections * Overriding cookies that rely on the Secure attribute * Session fixation or session hijacking depending on application usage This issue affects applications that rely on `getCookie()` for security-sensitive cookie handling.

受影響套件(1)

• npm/honofrom 0, < 4.12.12

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39410
• PATCHhttps://github.com/honojs/hono
• WEBhttps://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0
• WEBhttps://github.com/honojs/hono/releases/tag/v4.12.12
• WEBhttps://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4