CVE-2026-29085: Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

March 4, 2026 (updated March 5, 2026)

When using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters.

Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.

References

github.com/advisories/GHSA-p6xx-57qc-3wxr
github.com/honojs/hono
github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e
github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr
nvd.nist.gov/vuln/detail/CVE-2026-29085

Code Behaviors & Features

Detect and mitigate CVE-2026-29085 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →