Skip to main content

Hono Framework EUVDEUVD-2026-38326

| CVE-2026-54287 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-06-16 https://github.com/honojs/hono GHSA-j6c9-x7qj-28xf
5.3
CVSS 3.1 · Vendor: https://github.com/honojs/hono
Share

Severity by source

Vendor (https://github.com/honojs/hono) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible encoding flaw requiring no authentication; integrity impact is limited to cookie delivery corruption with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/honojs/hono).

CVSS VectorVendor: https://github.com/honojs/hono

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 14:53 vuln.today
Analysis Generated
Jun 16, 2026 - 14:53 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 npm packages depend on hono (34 direct, 19 indirect)

Ecosystem-wide dependent count for version 4.12.25.

DescriptionCVE.org

Summary

On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them.

Details

Per RFC 6265, each cookie must be its own Set-Cookie header line, and commas may appear inside attribute values. Joining cookies with ", " collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.

Impact

A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.

AnalysisAI

Cookie integrity failure in the Hono AWS Lambda adapter (npm/hono < 4.12.25) causes multiple Set-Cookie response headers to be merged into a single comma-separated value, violating RFC 6265 and producing unparseable cookie strings on ALB single-header mode (the default deployment) and VPC Lattice v2. Applications setting more than one cookie per response - including session tokens and CSRF cookies - will find those cookies silently dropped or misparsed by clients, potentially breaking authentication flows or defeating CSRF protections without any visible server-side error. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Application issues multi-cookie login response
Delivery
Hono Lambda adapter merges Set-Cookie headers with comma delimiter
Exploit
ALB forwards malformed single header to client
Execution
Browser fails to parse merged cookie string
Persist
Session or CSRF cookie silently absent from client state
Impact
Security control (session validation or CSRF check) fails or is bypassable

Vulnerability AssessmentAI

Exploitation Three conditions must all be true: (1) the backend application uses Hono npm package version below 4.12.25; (2) the application sets two or more Set-Cookie headers in a single HTTP response (common for session + CSRF cookie combinations); and (3) the AWS Lambda function is fronted by an ALB with single-header mode active (the default, i.e., multi-value headers NOT enabled on the target group) OR by VPC Lattice v2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) is consistent with a network-reachable encoding flaw that degrades integrity with no direct confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A web application built with Hono and deployed on AWS Lambda behind an ALB in the default single-header mode issues a login response containing both a session cookie and a CSRF token cookie. The Hono adapter merges both into a single malformed Set-Cookie header value; the client's browser cannot parse the combined value and discards one or both cookies. …
Remediation Upgrade Hono to version 4.12.25 or later; this is the vendor-confirmed fix per the GitHub Security Advisory GHSA-j6c9-x7qj-28xf (https://github.com/honojs/hono/security/advisories/GHSA-j6c9-x7qj-28xf). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy