Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 npm packages depend on hono (8 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.12.21.
DescriptionGitHub Advisory
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.
AnalysisAI
HTTP response header injection in Hono's cookie serialize() function allows unauthenticated remote attackers to inject arbitrary Set-Cookie attributes when an application passes user-controlled input into the sameSite or priority cookie options. All Hono releases prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit code exists at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network-accessible vector make it exploitable wherever the affected code path is reachable by user-supplied data.
Technical ContextAI
Hono is a lightweight, multi-runtime Web application framework (Node.js, Deno, Bun, Cloudflare Workers, etc.) identified by CPE cpe:2.3:a:honojs:hono:*:*:*:*:*:*:*:*. Its hono/cookie module exposes a serialize() function for building Set-Cookie header values. The function performs input sanitization on the domain and path options, rejecting characters that break cookie syntax (semicolons, carriage returns, newlines), but applies no equivalent validation to the sameSite or priority options. This maps directly to CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), a class of HTTP response splitting/header injection flaws. An attacker who can influence either option value can terminate the intended attribute field early and append attacker-chosen directives - or in environments where newline injection is not separately blocked, inject entirely new headers - into the HTTP response.
RemediationAI
The primary remediation is to upgrade Hono to version 4.12.21 or later, which extends input validation to the sameSite and priority options in serialize(). This is a vendor-released patch confirmed by GitHub Security Advisory GHSA-3hrh-pfw6-9m5x. For applications unable to upgrade immediately, the effective compensating control is to sanitize or allowlist user-controlled input before passing it to the sameSite or priority cookie options - for example, accepting only the RFC-defined string literals ('Strict', 'Lax', 'None' for sameSite; 'High', 'Medium', 'Low' for priority) and rejecting all other values. This eliminates the injection surface without requiring a framework upgrade, though it places the validation burden on application code and may be missed in future refactors. Review all call sites of serialize() to audit whether any option values derive from external input. The full advisory is at https://github.com/honojs/hono/security/advisories/GHSA-3hrh-pfw6-9m5x.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32925
GHSA-3hrh-pfw6-9m5x