GHSA-v8w9-8mx6-g223
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v8w9-8mx6-g223
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v8w9-8mx6-g223/GHSA-v8w9-8mx6-g223.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v8w9-8mx6-g223
- Downstream
- Related
- Published
- 2026-03-11T00:31:47Z
- Modified
- 2026-03-13T18:14:02.432254Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
- Details
-
Summary
When using
parseBody({ dot: true })in HonoRequest, specially crafted form field names such as__proto__.xcould create objects containing a__proto__property.If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.
Details
The
parseBody({ dot: true })feature supports dot notation to construct nested objects from form field names.In previous versions, the
__proto__path segment was not filtered. As a result, specially crafted keys such as__proto__.xcould produce objects containing__proto__properties.While this behavior does not directly modify
Object.prototypewithin Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.Impact
Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2026-03-11T00:31:47Z", "nvd_published_at": null }- References
Affected packages
npm / hono
Package
- Name
- hono
- View open source insights on deps.dev
- Purl
- pkg:npm/hono