CVE-2026-54287: CWE-116: Improper Encoding or Escaping of Output in honojs hono
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.
AI Analysis
Technical Summary
CVE-2026-54287 describes an improper encoding or escaping vulnerability (CWE-116) in the honojs hono framework when running on AWS Lambda. Specifically, the ALB single-header response and VPC Lattice v2 response incorrectly combine multiple Set-Cookie headers into one comma-separated string. Since commas appear within cookie attributes such as Expires dates, clients cannot reliably parse individual cookies, leading to silent dropping or misparsing. This issue is resolved in hono version 4.12.25.
Potential Impact
The vulnerability does not affect confidentiality or availability but can lead to integrity issues by causing clients to silently drop or misinterpret cookies. This can disrupt session management or other cookie-dependent functionality, potentially impacting application behavior.
Mitigation Recommendations
A patch is available in hono version 4.12.25 that fixes this issue. Users running affected versions on AWS Lambda should upgrade to 4.12.25 or later. Since this is a cloud service context, the vendor manages remediation for the cloud-hosted service; users should verify with the vendor's advisory for current status.
CVE-2026-54287: CWE-116: Improper Encoding or Escaping of Output in honojs hono
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54287 describes an improper encoding or escaping vulnerability (CWE-116) in the honojs hono framework when running on AWS Lambda. Specifically, the ALB single-header response and VPC Lattice v2 response incorrectly combine multiple Set-Cookie headers into one comma-separated string. Since commas appear within cookie attributes such as Expires dates, clients cannot reliably parse individual cookies, leading to silent dropping or misparsing. This issue is resolved in hono version 4.12.25.
Potential Impact
The vulnerability does not affect confidentiality or availability but can lead to integrity issues by causing clients to silently drop or misinterpret cookies. This can disrupt session management or other cookie-dependent functionality, potentially impacting application behavior.
Mitigation Recommendations
A patch is available in hono version 4.12.25 that fixes this issue. Users running affected versions on AWS Lambda should upgrade to 4.12.25 or later. Since this is a cloud service context, the vendor manages remediation for the cloud-hosted service; users should verify with the vendor's advisory for current status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T17:46:37.292Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a39735ceed863c81e3962a7
Added to database: 06/22/2026, 17:39:40 UTC
Last enriched: 06/22/2026, 17:54:53 UTC
Last updated: 06/23/2026, 00:11:15 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.