Description
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the absence of validation on cookie names in Hono's setCookie(), serialize(), and serializeSigned() functions. When a user supplies a name containing control characters such as carriage return or newline, the framework accepts it and constructs a malformed Set-Cookie header. Although modern runtimes reject such headers and throw a runtime error before the response is sent, the result is an availability disruption rather than a classic header injection. The weakness is a lack of input validation (CWE-113).

Affected Systems

Affected products include the Hono web framework prior to version 4.12.12, running on Node.js or platforms such as Cloudflare Workers. Any deployment that accepts user-controlled cookie names without filter is susceptible.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability is considered medium severity. No EPSS data is available and the issue is not listed in the CISA KEV catalog. The attack vector is likely an application that passes a malicious cookie name; the exploit path involves sending a request that triggers the setCookie() call with an invalid name, causing the runtime to error and abort the response. The impact is a denial of service within the affected component, but does not provide broader access or data compromise.

Generated by OpenCVE AI on June 23, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Hono version 4.12.12 or later, which includes validation of cookie names.
  • Validate or sanitize any user-supplied cookie name to contain only allowed characters before calling setCookie().
  • Implement robust error handling for Set‑Cookie header construction failures and monitor application logs for related runtime errors.

Generated by OpenCVE AI on June 23, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.
Title Hono - Missing Cookie Name Validation in setCookie()
First Time appeared Hono
Hono hono
Weaknesses CWE-113
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Vendors & Products Hono
Hono hono
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:09:45.435Z

Reserved: 2026-06-22T21:55:17.941Z

Link: CVE-2026-56762

cve-icon Vulnrichment

Updated: 2026-06-23T13:09:30.228Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-113

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')