CVE-2026-56763

Summary

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

Affected Software

VendorProductVersion RangeStatus
HonoHono0 < 4.12.7affected
HonoHono4.12.7unaffected

Weaknesses

  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References