GHSA-26pp-8wgv-hjvm: Hono missing validation of cookie name on write path in setCookie()

April 8, 2026

Cookie names are not validated on the write path when using setCookie(), serialize(), or serializeSigned() to generate Set-Cookie headers.

While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.

This results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).

References

github.com/advisories/GHSA-26pp-8wgv-hjvm
github.com/honojs/hono
github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec
github.com/honojs/hono/releases/tag/v4.12.12
github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm

Code Behaviors & Features

Detect and mitigate GHSA-26pp-8wgv-hjvm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →