CVSS Score: 6.5 Published: 2026-03-11 Full Report: https://cvereports.com/reports/GHSA-V8W9-8MX6-G223
The Hono web framework contains a Prototype Pollution vulnerability (CWE-1321) within its parseBody utility. When the { dot: true } configuration option is enabled, insufficient validation of form data keys allows unauthenticated attackers to inject arbitrary properties into the global Object.prototype. This manipulation affects all objects within the Node.js runtime environment.
Hono versions prior to 4.12.7 are vulnerable to Prototype Pollution via the parseBody utility when dot: true is enabled. Attackers can pollute the global object prototype by sending crafted form data keys such as __proto__.polluted, potentially leading to Denial of Service or unauthorized property manipulation.
- CWE ID: CWE-1321
- Attack Vector: Network
- Authentication Required: None
- CVSS Score: 6.5 (Medium)
- Affected Component: parseBody utility
- Fix Commit: ef902257e0beacbb83d2a9549b3b83e03514a6fe
- Hono web framework versions prior to 4.12.7
- Node.js applications utilizing Hono's parseBody with the dot configuration enabled
- hono: < 4.12.7 (Fixed in:
4.12.7)
- Upgrade the hono package to version 4.12.7 or a newer stable release.
- Disable the dot-notation parsing feature by explicitly omitting the
{ dot: true }option or setting it to{ dot: false }if nested object parsing is not strictly required. - Implement application-level input validation to sanitize or reject incoming request keys containing 'constructor' or 'prototype'.
Remediation Steps:
- Identify all instances within the codebase where
parseBodyis invoked with{ dot: true }. - Update the
honodependency inpackage.jsonto^4.12.7. - Execute
npm installor the equivalent package manager command to pull the patched version. - Run the application test suite to ensure the updated parsing logic does not break expected form processing functionality.
- Deploy the updated application to all environments.
Generated by CVEReports - Automated Vulnerability Intelligence