GHSA-3HRH-PFW6-9M5X
Vulnerability from github – Published: 2026-06-04 17:59 – Updated: 2026-06-04 17:59Summary
The serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes.
Details
When constructing a Set-Cookie header value, serialize() appends the sameSite and priority option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing ; or line-feed characters, passes through unchanged.
The validation guard that rejects ;, \r, and \n from domain and path is not applied to sameSite or priority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.
This issue arises when an application passes user-controlled input to the sameSite or priority option of setCookie() or serialize().
Impact
An attacker who can control the sameSite or priority option value may inject additional attributes into a Set-Cookie response header.
This may lead to:
- Cookie attribute injection — overriding
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookie - HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled
Set-Cookieheader in the same response
This issue affects applications that pass user-derived input into the sameSite or priority option of hono/cookie serialization functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47675"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T17:59:25Z",
"nvd_published_at": "2026-05-28T17:16:32Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `serialize()` function in `hono/cookie` validates `domain` and `path` options against characters that corrupt `Set-Cookie` header syntax (`;`, `\\r`, `\\n`), but does not apply the same validation to `sameSite` and `priority`. An application that passes user-controlled input into either option may produce a `Set-Cookie` response header containing attacker-chosen additional attributes.\n\n### Details\n\nWhen constructing a `Set-Cookie` header value, `serialize()` appends the `sameSite` and `priority` option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing `;` or line-feed characters, passes through unchanged.\n\nThe validation guard that rejects `;`, `\\r`, and `\\n` from `domain` and `path` is not applied to `sameSite` or `priority`. An application that passes a request-derived value to either option therefore provides an injection point into the header line.\n\nThis issue arises when an application passes user-controlled input to the `sameSite` or `priority` option of `setCookie()` or `serialize()`.\n\n### Impact\n\nAn attacker who can control the `sameSite` or `priority` option value may inject additional attributes into a `Set-Cookie` response header.\n\nThis may lead to:\n\n- Cookie attribute injection \u2014 overriding `Domain`, `Path`, `HttpOnly`, `Secure`, or `Max-Age` for the affected cookie\n- HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled `Set-Cookie` header in the same response\n\nThis issue affects applications that pass user-derived input into the `sameSite` or `priority` option of `hono/cookie` serialization functions.",
"id": "GHSA-3hrh-pfw6-9m5x",
"modified": "2026-06-04T17:59:25Z",
"published": "2026-06-04T17:59:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-3hrh-pfw6-9m5x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47675"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/905aedbc20661e0e2fa378783a7ec44a5c3df43d"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.12.21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.