Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Hono Allows Malicious Data to Access Sensitive System Data
GHSA-v8w9-8mx6-g223
Summary
Using Hono's parseBody function with certain settings can allow hackers to access sensitive system data. This can happen if you're using a feature that lets you merge data into regular objects in an unsafe way. To protect your application, make sure you're using safe methods to merge data and consider disabling the dot notation feature in Hono.
What to do
- Update hono to version 4.12.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | hono | <= 4.12.7 | 4.12.7 |
Original title
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
Original description
## Summary
When using `parseBody({ dot: true })` in HonoRequest, specially crafted form field names such as `__proto__.x` could create objects containing a `__proto__` property.
If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.
## Details
The `parseBody({ dot: true })` feature supports dot notation to construct nested objects from form field names.
In previous versions, the `__proto__` path segment was not filtered. As a result, specially crafted keys such as `__proto__.x` could produce objects containing `__proto__` properties.
While this behavior does not directly modify `Object.prototype` within Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.
## Impact
Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.
When using `parseBody({ dot: true })` in HonoRequest, specially crafted form field names such as `__proto__.x` could create objects containing a `__proto__` property.
If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.
## Details
The `parseBody({ dot: true })` feature supports dot notation to construct nested objects from form field names.
In previous versions, the `__proto__` path segment was not filtered. As a result, specially crafted keys such as `__proto__.x` could produce objects containing `__proto__` properties.
While this behavior does not directly modify `Object.prototype` within Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.
## Impact
Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.
ghsa CVSS3.1
4.8
Vulnerability type
CWE-1321
Prototype Pollution
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026