CVE-2026-56763
6.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Hono | Hono | 0 < 4.12.7 | affected |
| Hono | Hono | 4.12.7 | unaffected |
Weaknesses
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
References
- https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223
- https://www.vulncheck.com/advisories/hono-prototype-pollution-via-proto-key-in-parsebody-with-dot-option
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.