Listen to this Post
How AIKIDO-2026-943075 Works
This vulnerability resides in the AWS Lambda adapter used by the Hono web framework (and potentially others) when integrating with specific AWS services. The core issue is a violation of RFC 6265, which governs how HTTP `Set-Cookie` headers should be handled.
Per the RFC, each cookie must be sent in its own separate `Set-Cookie` header line. This is because the values of these headers, particularly the `Expires` attribute, frequently contain commas (e.g., Expires=Thu, 21 Sep 2023 06:12:39 GMT).
The vulnerable AWS Lambda adapter formats responses for two specific AWS service integrations: Application Load Balancer (ALB) in single-header mode (the default) and VPC Lattice v2. Instead of preserving multiple `Set-Cookie` headers as an array, the adapter incorrectly joins them into a single, comma-separated value.
For example, if a server attempts to set two cookies:
Set-Cookie: sessionId=abc123; Path=/ Set-Cookie: preference=dark; Expires=Wed, 21 Oct 2026 07:28:00 GMT; Path=/
The adapter would combine them into a single header like this:
Set-Cookie: sessionId=abc123; Path=/, preference=dark; Expires=Wed, 21 Oct 2026 07:28:00 GMT; Path=/
This creates an ambiguous and invalid header. The comma used as a separator now collides with the commas that are legitimate parts of the `Expires` attribute. Consequently, clients (like web browsers) that receive this malformed header cannot reliably parse it back into individual cookies.
The parsing failure can lead to several outcomes, depending on the client’s parser:
Only the first cookie is successfully parsed, and the rest are discarded.
The entire value is rejected as malformed, resulting in no cookies being set.
A cookie is misparsed, combining parts of different cookies into a single, corrupted value.
This issue specifically affects AWS Lambda functions behind an ALB in single-header mode or VPC Lattice v2. Other AWS services, such as API Gateway v1/v2 and ALB with multi-value headers explicitly enabled, are unaffected because they correctly handle headers as an array.
DailyCVE Form
Platform: `AWS Lambda`
Version: `Hono v0.0.1 – v4.12.24`
Vulnerability :Improper Encoding or Escaping of Output
Severity: `Medium`
date: `2026-06-16`
Prediction: `2026-06-23`
What Undercode Say: Analytics
The core of the problem is the incorrect handling of multi-value headers in the adapter.
Simulating the vulnerable behavior Multiple Set-Cookie headers are incorrectly joined with a comma. echo "Set-Cookie: sessionId=abc123; Path=/" > headers.txt echo "Set-Cookie: preference=dark; Expires=Wed, 21 Oct 2026 07:28:00 GMT; Path=/" >> headers.txt The adapter joins them, creating an invalid header. paste -sd ", " headers.txt Output: Set-Cookie: sessionId=abc123; Path=/, preference=dark; Expires=Wed, 21 Oct 2026 07:28:00 GMT; Path=/
This logic is often found in the adapter’s response formatting code. The fix is to ensure `Set-Cookie` headers are handled as an array.
// Example of vulnerable logic (conceptual)
const setCookieHeaders = response.multiValueHeaders['set-cookie'];
if (setCookieHeaders) {
// Vulnerable: Joins with ", "
response.headers['set-cookie'] = setCookieHeaders.join(', ');
}
// Patched logic (conceptual)
// ALB and VPC Lattice v2 expect 'multiValueHeaders' for multiple values.
// The adapter should set the header as an array, not a string.
response.multiValueHeaders['set-cookie'] = setCookieHeaders;
Exploit: How to Abuse
An attacker does not directly exploit this vulnerability. Instead, the vulnerability is a client-side reliability issue. A malicious actor would not be able to use this to inject their own cookies. The impact is purely on the availability and correct functioning of the application’s cookie-based features.
Example Scenario:
- A user logs into a web application hosted on a vulnerable AWS Lambda setup.
- The application’s login endpoint attempts to set a session cookie and a CSRF protection cookie in the response.
- The vulnerable Lambda adapter combines these two `Set-Cookie` headers into one invalid header.
- The user’s browser receives the malformed header and fails to set one or both cookies.
- The user’s session might appear successful, but the missing CSRF cookie causes subsequent form submissions to fail, effectively breaking the application’s functionality for that user.
Protection: Mitigation Strategies
Protecting against this vulnerability is straightforward and involves updating the responsible component.
1. Primary Mitigation: Upgrade the Library
The most direct fix is to upgrade the `hono` library to version 4.12.25 or later, which contains the patch for this issue.
2. Alternative Mitigation: Enable Multi-Value Headers on ALB
If you are using an ALB, you can avoid the issue by explicitly enabling multi-value header support. This forces the ALB to expect and correctly handle headers as an array, bypassing the problematic single-header mode in the adapter.
3. Workaround: Use a Single Cookie
As a temporary workaround, you can consolidate all necessary session and state data into a single cookie. This avoids the need for multiple `Set-Cookie` headers entirely.
Impact: Business and Technical Consequences
- Session and State Fragmentation: The most severe impact is on user state management. Authentication, session tracking, and CSRF protection can silently fail.
- Poor User Experience: Users may be forced to re-authenticate frequently or encounter unexplained errors, leading to frustration and support tickets.
- Data Integrity Issues: If preference or tracking cookies are dropped, the application may not function as intended for the user, potentially leading to data loss or incorrect application state.
- Developer Confusion: This is a subtle bug that can be difficult to diagnose. Developers might incorrectly assume the issue is with their application logic rather than the underlying infrastructure, leading to wasted debugging effort.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
