Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Unvalidated Cookie Names in Hono Set-Cookie Headers
GHSA-26pp-8wgv-hjvm
Summary
Hono applications may encounter runtime errors if using untrusted input for cookie names in setCookie() or similar functions. This is due to invalid characters in cookie names, which can cause issues with header values. To fix, ensure that cookie names are properly validated before passing them to these functions.
What to do
- Update yusukebe hono to version 4.12.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yusukebe | hono | <= 4.12.12 | 4.12.12 |
Original title
Hono missing validation of cookie name on write path in setCookie()
Original description
## Summary
Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.
While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).
## Details
When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values.
For example:
```
Set-Cookie: legit
X-Injected: evil=value
```
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.
In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.
This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.
While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).
## Details
When applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\r` or `\n`) can be used to construct malformed `Set-Cookie` header values.
For example:
```
Set-Cookie: legit
X-Injected: evil=value
```
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
Applications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.
In tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.
This issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-113
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026