CVE Catalog

CVE-2026-56762

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

Hono before version 4.12.12 does not validate cookie names in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters. This can lead to malformed Set-Cookie header values.

Risk Assessment

This issue affects the correctness and robustness of the application, leading to runtime errors that may impact system availability.

Recommendation

It is recommended to update Hono to version 4.12.12 or later to ensure proper validation of cookie names.

Original NVD description (English source)

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS