CVE-2026-56762
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Hono before version 4.12.12 does not validate cookie names in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters. This can lead to malformed Set-Cookie header values.
Risk Assessment
This issue affects the correctness and robustness of the application, leading to runtime errors that may impact system availability.
Recommendation
It is recommended to update Hono to version 4.12.12 or later to ensure proper validation of cookie names.
Original NVD description (English source)
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.

