CVE-2026-56763 PUBLISHED

Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option

Assigner: VulnCheck
Reserved: 22.06.2026 Published: 11.07.2026 Updated: 11.07.2026

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor Hono
Product Hono
Versions Default: unaffected
  • affected from 0 to 4.12.7 (excl.)
  • Version 4.12.7 is unaffected

Credits

  • 0xkakash1 reporter

References

Problem Types

  • Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE