PT-2026-57431 · Hono · Hono

0Xkakash1

·

Published

2026-03-11

·

Updated

2026-07-11

·

CVE-2026-56763

CVSS v4.0

6.3

Medium

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.7
Description The parseBody() function allows the use of the proto key when the dot option is enabled. This allows specially crafted form field names to create objects containing proto properties. If these parsed results are merged into regular JavaScript objects using unsafe merge patterns, it can lead to prototype pollution, which allows an attacker to modify object behavior.
Recommendations Update Hono to version 4.12.7 or later. As a temporary mitigation, disable the dot option in the parseBody() function.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56763
GHSA-V8W9-8MX6-G223

Affected Products

Hono