CVE Catalog

CVE-2026-54287

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

Hono is a web application framework that supports any JavaScript runtime. Prior to version 4.12.25, on AWS Lambda, ALB single-header responses and VPC Lattice v2 responses join multiple Set-Cookie headers into one comma-separated value, leading to issues with proper processing by clients.

Risk Assessment

Organizations may face issues with cookie management, potentially leading to application malfunction and security vulnerabilities related to user sessions.

Recommendation

It is recommended to upgrade to version 4.12.25 or later to eliminate this vulnerability and ensure proper processing of Set-Cookie headers.

Original NVD description (English source)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS