Skip to main content

Hono Framework CVE-2026-47675

| EUVDEUVD-2026-32925 MEDIUM
HTTP Response Splitting (CWE-113)
2026-05-28 GitHub_M GHSA-3hrh-pfw6-9m5x
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 18:02 EUVD
Analysis Generated
May 28, 2026 - 17:24 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on hono (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.12.21.

DescriptionGitHub Advisory

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.

AnalysisAI

HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.

Technical ContextAI

Hono is a lightweight, multi-runtime Web application framework (Node.js, Deno, Bun, Cloudflare Workers, etc.) identified by CPE cpe:2.3:a:honojs:hono:*:*:*:*:*:*:*:*. Its hono/cookie module exposes a serialize() function for building Set-Cookie header values. The function performs input sanitization on the domain and path options, rejecting characters that break cookie syntax (semicolons, carriage returns, newlines), but applies no equivalent validation to the sameSite or priority options. This maps directly to CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), a class of HTTP response splitting/header injection flaws. An attacker who can influence either option value can terminate the intended attribute field early and append attacker-chosen directives - or in environments where newline injection is not separately blocked, inject entirely new headers - into the HTTP response.

RemediationAI

The primary remediation is to upgrade Hono to version 4.12.21 or later, which extends input validation to the sameSite and priority options in serialize(). This is a vendor-released patch confirmed by GitHub Security Advisory GHSA-3hrh-pfw6-9m5x. For applications unable to upgrade immediately, the effective compensating control is to sanitize or allowlist user-controlled input before passing it to the sameSite or priority cookie options - for example, accepting only the RFC-defined string literals ('Strict', 'Lax', 'None' for sameSite; 'High', 'Medium', 'Low' for priority) and rejecting all other values. This eliminates the injection surface without requiring a framework upgrade, though it places the validation burden on application code and may be missed in future refactors. Review all call sites of serialize() to audit whether any option values derive from external input. The full advisory is at https://github.com/honojs/hono/security/advisories/GHSA-3hrh-pfw6-9m5x.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

Share

CVE-2026-47675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy