CVE-2026-54287
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Hono is a web application framework that supports any JavaScript runtime. Prior to version 4.12.25, on AWS Lambda, ALB single-header responses and VPC Lattice v2 responses join multiple Set-Cookie headers into one comma-separated value, leading to issues with proper processing by clients.
Risk Assessment
Organizations may face issues with cookie management, potentially leading to application malfunction and security vulnerabilities related to user sessions.
Recommendation
It is recommended to upgrade to version 4.12.25 or later to eliminate this vulnerability and ensure proper processing of Set-Cookie headers.
Original NVD description (English source)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.

