hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Vulnerability

On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value [1][2]. Per RFC 6265, each cookie must be its own header line, and commas may appear inside cookie attribute values (e.g., Expires dates). Joining cookies with ", " collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode (the default) and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled are unaffected.

Exploitation

An application that sets multiple cookies per response on AWS Lambda behind an ALB in single-header mode or VPC Lattice v2 will have the Set-Cookie headers concatenated incorrectly. No special attacker privilege or user interaction is required—the flaw is triggered by normal server behavior. The client receives a malformed response, and the browser or HTTP client fails to parse the cookies correctly.

Impact

A client may receive only one of the cookies, a malformed cookie, or none [1][2]. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication.

Mitigation

For ALB, enable multi-value headers to send each cookie as a separate header [1]. For VPC Lattice v2, no official fix has been announced; users should avoid setting multiple cookies per response or implement a custom workaround to split cookies before the response is sent.