AIKIDO-2026-943075
hono is vulnerable to Improper Encoding or Escaping of Output
53
Medium Risk
This Affects:
honoTL;DR
The AWS Lambda adapter formats ALB single-header and VPC Lattice v2 responses by joining multiple Set-Cookie values into one comma-separated header. Commas also appear inside cookie attribute values so clients cannot split the merged value back into individual cookies. Session, CSRF, or preference cookies may be dropped or misparsed, breaking authentication state. The adapter now emits Set-Cookie as an array so each cookie keeps its own header line.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and you set multiple cookies per response on AWS Lambda behind ALB single-header mode or VPC Lattice v2.
Background info
hono is vulnerable to Improper Encoding or Escaping of Output in versions 0.0.1 - 4.12.24.
How to fix this
Upgrade the hono library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant