PT-2026-57431 · Hono · Hono
0Xkakash1
·
Published
2026-03-11
·
Updated
2026-07-11
·
CVE-2026-56763
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Hono versions prior to 4.12.7
Description
The
parseBody() function allows the use of the proto key when the dot option is enabled. This allows specially crafted form field names to create objects containing proto properties. If these parsed results are merged into regular JavaScript objects using unsafe merge patterns, it can lead to prototype pollution, which allows an attacker to modify object behavior.Recommendations
Update Hono to version 4.12.7 or later.
As a temporary mitigation, disable the dot option in the
parseBody() function.Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hono