CVE-2026-47675 honojs CVE debrief

Who should care

Organizations using Hono framework versions prior to 4.12.21 for web application development, particularly those implementing cookie-based session management or authentication flows where cookie options may incorporate user-influenced data.

Technical summary

The Hono framework's `serialize()` function in `hono/cookie` inadequately validates the `sameSite` and `priority` cookie options. While `domain` and `path` are checked against characters that would corrupt Set-Cookie syntax (specifically `;`, `r`, and `n`), these checks are not applied to `sameSite` and `priority`. Consequently, an attacker who can supply input to these options can inject additional attributes into the Set-Cookie response header. This represents an HTTP response splitting/header injection vulnerability with confidentiality and integrity impacts limited to the cookie scope. The fix in version 4.12.21 extends validation to cover these previously unchecked options.

Defensive priority

medium

Recommended defensive actions

• Upgrade Hono to version 4.12.21 or later to remediate this vulnerability.
• Audit application code for any instances where user-controlled input is passed to the `sameSite` or `priority` options of cookie serialization functions.
• Implement input validation at the application layer to sanitize or reject untrusted data before it reaches cookie options, as a defense-in-depth measure.
• Review logging and monitoring configurations to detect anomalous Set-Cookie header patterns that may indicate exploitation attempts.

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, both published on 2026-05-28. The GitHub Security Advisory (GHSA-3hrh-pfw6-9m5x) is cited as the primary reference. CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) and CWE-1287 (Improper Validation of Specified Type of Input) are identified as associated weaknesses.

Official resources