{"id":"GHSA-p6xx-57qc-3wxr","summary":"Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()","details":"## Summary\n\nWhen using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\\r`) or newline (`\\n`) characters.\n\nBecause the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.\n\n## Details\n\nThe SSE helper builds event frames by joining lines with `\\n`. While multi-line `data:` fields are handled according to the SSE specification, the `event`, `id`, and `retry` fields previously allowed raw values without rejecting embedded CR/LF characters.\n\nIncluding CR/LF in these control fields could allow unintended additional fields (such as `data:`, `id:`, or `retry:`) to be injected into the event stream.\n\nThe issue has been fixed by rejecting CR/LF characters in these fields.\n\n## Impact\n\nAn attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into `event`, `id`, or `retry`.\n\nDepending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render `e.data` in an unsafe manner (for example, using `innerHTML`) could potentially expose themselves to client-side script injection.\n\nThis issue affects applications that rely on the SSE helper to enforce protocol-level constraints.","aliases":["CVE-2026-29085"],"modified":"2026-03-18T23:13:53.874943Z","published":"2026-03-04T19:48:41Z","related":["CGA-682x-vv3c-f6h9"],"database_specific":{"github_reviewed_at":"2026-03-04T19:48:41Z","cwe_ids":["CWE-74"],"github_reviewed":true,"nvd_published_at":"2026-03-04T23:16:10Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29085"},{"type":"WEB","url":"https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e"},{"type":"PACKAGE","url":"https://github.com/honojs/hono"}],"affected":[{"package":{"name":"hono","ecosystem":"npm","purl":"pkg:npm/hono"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.12.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p6xx-57qc-3wxr/GHSA-p6xx-57qc-3wxr.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}