Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ajhs-ueyw-pfbz
Vulnerability ID VCID-ajhs-ueyw-pfbz
Aliases GHSA-26pp-8wgv-hjvm
Summary Hono missing validation of cookie name on write path in setCookie() ## Summary Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path). ## Details When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values. For example: ``` Set-Cookie: legit X-Injected: evil=value ``` However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent. As a result, the reported header injection / response splitting behavior could not be reproduced in these environments. ## Impact Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values. In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced. This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-26pp-8wgv-hjvm
cvssv3.1 5.3 https://github.com/honojs/hono
generic_textual MODERATE https://github.com/honojs/hono
cvssv3.1 5.3 https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
generic_textual MODERATE https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
cvssv3.1 5.3 https://github.com/honojs/hono/releases/tag/v4.12.12
generic_textual MODERATE https://github.com/honojs/hono/releases/tag/v4.12.12
cvssv3.1 5.3 https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
cvssv3.1_qr MODERATE https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
generic_textual MODERATE https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
Reference id Reference type URL
https://github.com/honojs/hono
https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
GHSA-26pp-8wgv-hjvm https://github.com/advisories/GHSA-26pp-8wgv-hjvm
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/honojs/hono
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/honojs/hono/releases/tag/v4.12.12
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:45:35.719051+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-26pp-8wgv-hjvm/GHSA-26pp-8wgv-hjvm.json 38.6.0