CVE-2026-54287 | Hono is a Web application framework that provides support fo… | CVSS 5.3 MEDIUM

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.

Metadata

CVE ID: CVE-2026-54287
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:46 UTC
Published: 2026-06-22 17:13 UTC
Last updated: 2026-06-22 17:36 UTC
Primary CWE: CWE-116
CWE-116: Improper Encoding or Escaping of Output
Vendor / Product: honojs / hono
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
honojs	hono	—	< 4.12.25

Weakness (CWE)

CWE	Source	Description
CWE-116	cna	CWE-116: Improper Encoding or Escaping of Output

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (1)

https://github.com/honojs/hono/security/advisories/GHSA-j6c9-x7qj-28xf https://github.com/honojs/hono/security/advisories/GHSA-j6c9-x7qj-28xf