Hono SameSite and Priority Cookie Option Injection Vulnerability

A cookie injection vulnerability has been identified in the Hono web application framework, prior to version 4.12.21. The issue arises in the serialize() function of hono/cookie, which validates domain and path options to prevent corruption of Set-Cookie header syntax. However, this validation is not applied to the sameSite and priority options. As a result, an application that accepts user-controlled input for these options may inadvertently create a Set-Cookie header with additional attributes chosen by the attacker. This vulnerability could allow for cookie attribute injection, potentially overriding important cookie settings, or even injecting a second Set-Cookie header in responses from runtimes with lax header validation.

Impact

Exploitation of this vulnerability allows for injection of attributes into the Set-Cookie response header, which could lead to unauthorized modification of cookie settings or injection of additional Set-Cookie headers in the response.

Remediation

Users can upgrade to Hono version 4.12.21 or later to address this vulnerability.