VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 28, 2026

CVE-2026-47675

CVE-2026-47675

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hono cookie序列化函数未验证sameSite和priority选项,允许注入Set-Cookie属性,修复于4.12.21。

Vulnerability

Hono框架的cookie模块中serialize()函数(版本低于4.12.21)在构造Set-Cookie响应头时,对domainpath选项进行了字符过滤(禁止;\r\n),但对sameSitepriority选项未做相同验证。虽然TypeScript类型签名限制为特定字符串字面量,但运行时未强制实施,可接受任意字符串值。当应用程序将用户可控的输入传递给setCookie()serialize()sameSitepriority参数时,攻击者可借此注入额外指令[1]。

Exploitation

攻击者需要能够控制应用程序传递给sameSitepriority选项的值(例如通过HTTP请求参数、请求头或任何用户提供的数据)。只需构造一个包含;\r\n等特殊字符的字符串即可。例如,在sameSite中传入Lax; Domain=attacker.com,该值会被直接附加到Set-Cookie头部,从而注入额外的cookie属性。无需特殊权限或用户交互,仅需应用程序存在此类参数传递场景[1]。

Impact

成功利用可导致:

  • Cookie属性注入——覆盖原cookie的DomainPathHttpOnlySecureMax-Age,可能破坏cookie的预期安全约束。
  • HTTP响应头注入——在未严格校验响应头值的运行时环境中,注入额外的Set-Cookie头部,可能允许攻击者设置任意cookie,或与其他漏洞结合实现会话固定、跨站点脚本等攻击[1]。

Mitigation

官方已在版本4.12.21中修复此问题,所有用户应升级至该版本或更高版本。若无法立即升级,应确保不将任何用户可控的输入直接传递给sameSitepriority选项,并对这些参数添加白名单验证(例如仅允许枚举值'strict''lax''none')。无已知的KEV列表收录[1]。

References
  1. Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Honojs/Honoinferred2 versions
    <4.12.21+ 1 more
    • (no CPE)range: <4.12.21
    • (no CPE)range: <4.12.21

Patches

1
a83ddb882e0c

4.12.21

https://github.com/honojs/honoYusuke WadaMay 19, 2026Fixed in 4.12.21via release-tag
commit
1 file changed · +1 1
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.12.20",
+  "version": "4.12.21",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.