The bug arises when the Hono framework on AWS Lambda combines more than one Set‑Cookie header into a single comma‑separated string for ALB single‑header and VPC Lattice v2 responses. Because cookie attributes such as Expires contain commas, the client cannot recover the individual cookies and silently discards or misparses them. This results in the loss of session or authentication cookies, which can break user sessions or, if the application relies on these cookies for authorization, allow unauthorized access. The weakness is classified as CWE‑116.

System owners using the Hono js framework version prior to 4.12.25 on AWS Lambda deployments, including those routed through the Application Load Balancer single‑header or VPC Lattice v2 adapters. The issue is specific to the Hono framework (honojs:hono) and affects all vulnerable instances regardless of environment, as long as multiple cookies are set in the same response.

The CVSS score is 5.3, indicating moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploitability is limited to the application layer; external attackers cannot trigger the merge alone but may experience broken authentication if the framework sets many cookies. In practice, the risk is to authentication reliability rather than direct remote code execution.