Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Hono Cookie Name Validation Error in Cookie Generation
GHSA-26pp-8wgv-hjvm
Summary
Untrusted input can cause errors when generating cookie headers. If you use Hono to generate cookies from user-controlled input, make sure to validate the cookie name to prevent errors. Update to the latest version of Hono to ensure robust cookie generation.
What to do
- Update yusukebe hono to version 4.12.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.12 | 4.12.12 |
Original title
Hono missing validation of cookie name on write path in setCookie()
Original description
## Summary
Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.
While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).
## Details
When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values.
For example:
```
Set-Cookie: legit
X-Injected: evil=value
```
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.
In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.
This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.
While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).
## Details
When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values.
For example:
```
Set-Cookie: legit
X-Injected: evil=value
```
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.
In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.
This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
osv CVSS3.1
5.3
Vulnerability type
CWE-113
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 9 Apr 2026