CVE-2026-47675: Hono Cookie Injection Vulnerability in sameSite and priority Parameters
Hono, a JavaScript web framework, contains a flaw in how it sanitizes cookie options. While the framework validates certain cookie parameters (domain and path) to prevent malicious characters from breaking the Set-Cookie header, it fails to apply the same checks to sameSite and priority options. If an application passes user-controlled input directly into these parameters, an attacker could inject additional cookie attributes into the response header, potentially manipulating cookie behavior or setting unintended security policies.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-113, CWE-1287
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47675 affects Hono versions prior to 4.12.21. The serialize() function in hono/cookie inadequately sanitizes the sameSite and priority cookie options against characters that corrupt HTTP response header syntax (semicolon, carriage return, newline). The domain and path options are correctly validated, but sameSite and priority lack equivalent filtering. An attacker controlling input to these options can craft a malformed Set-Cookie header that includes attacker-specified cookie attributes. This represents a header injection vulnerability classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) and CWE-1287 (Improper Validation of Specified Type of Input).
Business impact
The vulnerability enables session manipulation and potential security policy bypass through cookie injection. While the CVSS score is moderate (4.3), the practical impact depends on application usage: if an app exposes sameSite or priority parameters to user input without additional validation, attackers could inject cookies with conflicting attributes, potentially affecting browser security policies (SameSite enforcement) or causing cache poisoning. The attack requires user interaction (reflected in the CVSS UI:R component), limiting but not eliminating risk in typical web deployment scenarios.
Affected systems
Hono versions prior to 4.12.21 are affected. Any JavaScript application using Hono's cookie serialization with user-controlled input passed to sameSite or priority parameters is vulnerable. This includes Node.js, Bun, Deno, and Cloudflare Workers deployments of Hono-based applications. Applications that hardcode these cookie options or sanitize user input separately are not affected.
Exploitability
Exploitability is straightforward but requires application-level exposure. An attacker must identify an application that accepts user input for sameSite or priority cookie options—a relatively uncommon pattern, as these are typically framework-controlled. The attack vector is network-based with low complexity. Exploitation does not require authentication or special privileges, but does require user interaction (typically clicking a malicious link or submitting a form). The attack surface is narrower than framework-wide vulnerabilities due to the specific requirement for user input handling.
Remediation
Upgrade Hono to version 4.12.21 or later. Organizations using earlier versions should prioritize this patch, particularly if cookie options are exposed to user input. Until patching is possible, implement input validation at the application level: reject or sanitize any user input destined for sameSite or priority parameters to remove or reject semicolons, carriage returns, and newlines.
Patch guidance
Apply Hono version 4.12.21 or later. Verify compatibility with your application's dependency chain and test in a staging environment before production deployment. Check your package.json or package management system for the current Hono version; if earlier than 4.12.21, update immediately. The patch adds proper input validation to sameSite and priority parameters, bringing them into alignment with existing domain and path sanitization.
Detection guidance
Monitor application logs for Set-Cookie headers containing unexpected or injected attributes, particularly those with anomalous sameSite or priority values containing special characters. Automated security scanning of dependencies should flag Hono versions earlier than 4.12.21. Application-level detection is challenging without instrumentation; focus detection efforts on identifying vulnerable versions in your inventory and validating that user input to cookie functions is restricted or properly sanitized.
Why prioritize this
Although CVSS 4.3 (MEDIUM) suggests lower urgency, prioritize based on application context. If your applications accept user input for cookie serialization options, treat this as higher priority despite the moderate score. The vulnerability requires no authentication and is network-accessible, making it a standing invitation for attackers to test exposed applications. Organizations with defense-in-depth practices (input validation, CSP, SameSite-by-default policies) face lower residual risk but should still patch promptly to eliminate the vector.
Risk score, explained
CVSS 4.3 reflects: network-based attack vector, low attack complexity, no privilege requirement, and user interaction needed. Confidentiality is not impacted (C:N), integrity is limited (I:L) due to cookie attribute injection rather than sensitive data exposure, and availability is unaffected (A:N). The score appropriately reflects a targeted injection vulnerability with moderate but real business risk—not a critical flaw, but a clear security gap that should not be ignored in typical web environments.
Frequently asked questions
Do I need to patch immediately if my application doesn't directly expose cookie options to users?
No, but you should still patch in your regular update cycle. If your application hardcodes sameSite and priority values or never accepts user input for these parameters, you are not vulnerable. However, layered defenses can shift during refactoring or updates, so patching eliminates the risk vector entirely.
What's the difference between this vulnerability and typical XSS or CSRF attacks?
This is header injection, not script injection. The attacker cannot inject arbitrary JavaScript or steal sessions directly. Instead, they manipulate the Set-Cookie header itself to inject unintended cookie attributes, potentially conflicting with your application's intended security policies. It's a narrower attack surface but still meaningful if an app mishandles cookie serialization options.
Does this affect my application if I use a different web framework?
No. This is specific to Hono. If you use Express, Next.js, Fastify, or other frameworks, you are not directly affected by CVE-2026-47675. However, check whether those frameworks have similar gaps in cookie serialization—this vulnerability is a reminder to validate all user input before passing it to security-sensitive functions.
Can an attacker exploit this to steal user sessions or perform authentication bypass?
Not directly through this vulnerability alone. Cookie injection here allows attribute manipulation (e.g., changing SameSite behavior or priority), not credential theft. However, if combined with other weaknesses (weak SameSite policies, lack of secure flags), it could amplify other attacks. The vulnerability is a building block, not a complete compromise.
This analysis is based on CVE-2026-47675 source data as of the publication date. Security researchers and developers should consult the official Hono project advisory and release notes for authoritative guidance. CVSS scores represent scoring organization assessments and may not reflect your organization's risk tolerance or environment. Patch timelines and compatibility should be verified against your specific application stack. This document does not constitute security advice; conduct your own assessment based on your threat model and exposure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-6858MEDIUMArista EOS 802.1X Multi-Auth Bypass via Fallback VLAN EAPOL Device
- CVE-2026-38978MEDIUMTransmission Clickjacking Vulnerability in WebUI and RPC Paths
- CVE-2026-47673MEDIUMHono JWT Middleware Bearer Scheme Validation Bypass
- CVE-2026-47674MEDIUMHono IP-Restriction Middleware IPv6 Bypass Vulnerability
- CVE-2026-47676MEDIUMHono Path Encoding Vulnerability in app.mount()
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)