GHSA-j6c9-x7qj-28xf

Suggest an improvement
Source
https://github.com/advisories/GHSA-j6c9-x7qj-28xf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-j6c9-x7qj-28xf/GHSA-j6c9-x7qj-28xf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j6c9-x7qj-28xf
Aliases
  • CVE-2026-54287
Downstream
Related
Published
2026-06-16T14:08:40Z
Modified
2026-06-17T17:59:19.991549128Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
Details

Summary

On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them.

Details

Per RFC 6265, each cookie must be its own Set-Cookie header line, and commas may appear inside attribute values. Joining cookies with ", " collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with multi-value headers enabled already use an array and are unaffected.

Impact

A client may receive only one of the cookies, a malformed cookie, or none. Session, CSRF, or preference cookies can silently fail to apply, breaking sessions or forcing re-authentication. This affects applications that set multiple cookies per response and run on AWS Lambda behind an ALB in single-header mode (the default) or VPC Lattice v2.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-116"
    ],
    "github_reviewed_at": "2026-06-16T14:08:40Z",
    "github_reviewed": true
}
References

Affected packages

npm / hono

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.12.25

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-j6c9-x7qj-28xf/GHSA-j6c9-x7qj-28xf.json"