Hono Web Application Framework Cookie Attribute Injection Vulnerability

A cookie attribute injection vulnerability has been identified in the Hono web application framework, affecting versions prior to 4.12.4. The issue arises in the setCookie() utility, which failed to properly validate semicolons, carriage returns, and newline characters in the domain and path options when creating the Set-Cookie header. This lack of validation could allow the injection of additional cookie attributes if untrusted input was introduced into these fields. Although modern runtimes typically block full header injection via carriage returns or newlines, this vulnerability could still be exploited to manipulate cookie attributes within a single Set-Cookie header.

Impact

Exploitation of this vulnerability could lead to unintended manipulation of cookie attributes, potentially affecting cookie scoping or security attributes, depending on browser behavior. The vulnerability requires application-level misuse of cookie options.

Reproduction

The vulnerability can be reproduced by using the setCookie() utility with untrusted input that includes semicolons, carriage returns, or newline characters in the domain or path options. The utility will not throw an error for these unsafe characters, allowing the injection of additional cookie attributes when the Set-Cookie header is constructed.

Remediation

Users can upgrade to Hono version 4.12.4 or later, where this vulnerability has been patched.