GHSA-3wcj-gjvf-fvchMediumCVSS 4.8

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting...

Published
July 11, 2026
Last Modified
July 11, 2026

🔗 CVE IDs covered (1)

📋 Description

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

🔗 References (4)