Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible encoding flaw requiring no authentication; integrity impact is limited to cookie delivery corruption with no confidentiality or availability consequence.
Primary rating from Vendor (https://github.com/honojs/hono).
CVSS VectorVendor: https://github.com/honojs/hono
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 53 npm packages depend on hono (34 direct, 19 indirect)
Ecosystem-wide dependent count for version 4.12.25.
DescriptionCVE.org
Summary
On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them.
Details
Per RFC 6265, each cookie must be its own Set-Cookie header line, and commas may appear inside attribute values. Joining cookies with ", " collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.
Impact
A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.
AnalysisAI
Cookie integrity failure in the Hono AWS Lambda adapter (npm/hono < 4.12.25) causes multiple Set-Cookie response headers to be merged into a single comma-separated value, violating RFC 6265 and producing unparseable cookie strings on ALB single-header mode (the default deployment) and VPC Lattice v2. Applications setting more than one cookie per response - including session tokens and CSRF cookies - will find those cookies silently dropped or misparsed by clients, potentially breaking authentication flows or defeating CSRF protections without any visible server-side error. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must all be true: (1) the backend application uses Hono npm package version below 4.12.25; (2) the application sets two or more Set-Cookie headers in a single HTTP response (common for session + CSRF cookie combinations); and (3) the AWS Lambda function is fronted by an ALB with single-header mode active (the default, i.e., multi-value headers NOT enabled on the target group) OR by VPC Lattice v2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) is consistent with a network-reachable encoding flaw that degrades integrity with no direct confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A web application built with Hono and deployed on AWS Lambda behind an ALB in the default single-header mode issues a login response containing both a session cookie and a CSRF token cookie. The Hono adapter merges both into a single malformed Set-Cookie header value; the client's browser cannot parse the combined value and discards one or both cookies. … |
| Remediation | Upgrade Hono to version 4.12.25 or later; this is the vendor-confirmed fix per the GitHub Security Advisory GHSA-j6c9-x7qj-28xf (https://github.com/honojs/hono/security/advisories/GHSA-j6c9-x7qj-28xf). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38326
GHSA-j6c9-x7qj-28xf