DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-26PP-8WGV-HJVM: GHSA-26PP-8WGV-HJVM: HTTP Response Splitting via CRLF Injection in Hono's setCookie

#security #cve #cybersecurity #ghsa

GHSA-26PP-8WGV-HJVM: HTTP Response Splitting via CRLF Injection in Hono's setCookie

Vulnerability ID: GHSA-26PP-8WGV-HJVM
CVSS Score: 5.3
Published: 2026-04-08

The Hono web framework contains a vulnerability in its cookie management utility that allows HTTP response splitting. The setCookie function fails to validate or sanitize user-supplied cookie names against control characters. If an application utilizes untrusted input to define a cookie name, an attacker can inject carriage return and line feed (CRLF) characters to manipulate the raw HTTP response headers.

TL;DR

Hono versions prior to 4.12.12 do not sanitize cookie names in the setCookie utility, leading to CRLF injection. Attackers can exploit this to inject arbitrary HTTP headers or split the response, provided the application uses dynamic user input for cookie names. Upgrading to version 4.12.12 resolves the vulnerability.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: HTTP Response Splitting / CRLF Injection
  • CWE ID: CWE-113, CWE-93
  • Affected Component: hono/cookie (setCookie utility)
  • Exploit Status: Proof of Concept available
  • CVSS Score: 5.3 (Moderate)
  • Attack Vector: Network

Affected Systems

  • Hono Web Framework
  • hono: < 4.12.12 (Fixed in: 4.12.12)

Code Analysis

Commit: a586cd7

Fix for invalid cookie name injection in setCookie

const _serialize = (name: string, value: string, opt: CookieOptions = {}): string => {
+  if (!validCookieNameRegEx.test(name)) {
+    throw new Error('Invalid cookie name')
+  }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Security Research: Demonstrates HTTP Response Splitting via injected Location header.

Mitigation Strategies

  • Upgrade the framework package to a patched release.
  • Validate all user input used to construct HTTP structures.
  • Deploy WAF rules to detect and block CRLF injection patterns.

Remediation Steps:

  1. Run npm install hono@latest to upgrade to version 4.12.12 or newer.
  2. Audit application source code for calls to setCookie() that use variable or dynamic data for the cookie name parameter.
  3. Implement validation to enforce RFC 6265 token requirements on any dynamic cookie names.

References

Read the full report for GHSA-26PP-8WGV-HJVM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)