CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Description
### Summary The `serialize()` function in `hono/cookie` validates `domain` and `path` options against characters that corrupt `Set-Cookie` header syntax (`;`, `\r`, `\n`), but does not apply the same validation to `sameSite` and `priority`. An application that passes user-controlled input into either option may produce a `Set-Cookie` response header containing attacker-chosen additional attributes. ### Details When constructing a `Set-Cookie` header value, `serialize()` appends the `sameSite` and `priority` option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing `;` or line-feed characters, passes through unchanged. The validation guard that rejects `;`, `\r`, and `\n` from `domain` and `path` is not applied to `sameSite` or `priority`. An application that passes a request-derived value to either option therefore provides an injection point into the header line. This issue arises when an application passes user-controlled input to the `sameSite` or `priority` option of `setCookie()` or `serialize()`. ### Impact An attacker who can control the `sameSite` or `priority` option value may inject additional attributes into a `Set-Cookie` response header. This may lead to: - Cookie attribute injection — overriding `Domain`, `Path`, `HttpOnly`, `Secure`, or `Max-Age` for the affected cookie - HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled `Set-Cookie` header in the same response This issue affects applications that pass user-derived input into the `sameSite` or `priority` option of `hono/cookie` serialization functions.
How to fix CVE-2026-47675
To remediate CVE-2026-47675, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.21 or later
Is CVE-2026-47675 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47675.