CVE-2026-56762

MEDIUM 5.3

Hono - Missing Cookie Name Validation in setCookie()

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.

CWE	CWE-113
Vendor	hono
Product	hono
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for hono hono

Be the first to know when new medium vulnerabilities affecting hono hono are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

Hono / Hono

0 < 4.12.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm vulncheck.com: https://www.vulncheck.com/advisories/hono-missing-cookie-name-validation-in-setcookie

Credits

🔍 athuljayaram