CVE-2026-47675

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Assigner: GitHub_M
Reserved: 19.05.2026 Published: 28.05.2026 Updated: 28.05.2026

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	honojs
Product	hono
Versions	Version < 4.12.21 is affected

Vendor

honojs

Product

hono

Versions

Version < 4.12.21 is affected

References

Problem Types

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE
CWE-1287: Improper Validation of Specified Type of Input CWE

CVE-2026-47675 PUBLISHED

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Metrics

Product Status

References

Problem Types