DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V8W9-8MX6-G223: GHSA-v8w9-8mx6-g223: Prototype Pollution in Hono parseBody Utility

#security #cve #cybersecurity #ghsa

GHSA-v8w9-8mx6-g223: Prototype Pollution in Hono parseBody Utility

Vulnerability ID: GHSA-V8W9-8MX6-G223
CVSS Score: 6.5
Published: 2026-03-11

The Hono web framework contains a Prototype Pollution vulnerability (CWE-1321) within its parseBody utility. When the { dot: true } configuration option is enabled, insufficient validation of form data keys allows unauthenticated attackers to inject arbitrary properties into the global Object.prototype. This manipulation affects all objects within the Node.js runtime environment.

TL;DR

Hono versions prior to 4.12.7 are vulnerable to Prototype Pollution via the parseBody utility when dot: true is enabled. Attackers can pollute the global object prototype by sending crafted form data keys such as __proto__.polluted, potentially leading to Denial of Service or unauthorized property manipulation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network
  • Authentication Required: None
  • CVSS Score: 6.5 (Medium)
  • Affected Component: parseBody utility
  • Fix Commit: ef902257e0beacbb83d2a9549b3b83e03514a6fe

Affected Systems

  • Hono web framework versions prior to 4.12.7
  • Node.js applications utilizing Hono's parseBody with the dot configuration enabled
  • hono: < 4.12.7 (Fixed in: 4.12.7)

Code Analysis

Commit: ef90225

Fix Prototype Pollution vulnerability in parseBody utility by adding regex validation to skip proto key segments.

Mitigation Strategies

  • Upgrade the hono package to version 4.12.7 or a newer stable release.
  • Disable the dot-notation parsing feature by explicitly omitting the { dot: true } option or setting it to { dot: false } if nested object parsing is not strictly required.
  • Implement application-level input validation to sanitize or reject incoming request keys containing 'constructor' or 'prototype'.

Remediation Steps:

  1. Identify all instances within the codebase where parseBody is invoked with { dot: true }.
  2. Update the hono dependency in package.json to ^4.12.7.
  3. Execute npm install or the equivalent package manager command to pull the patched version.
  4. Run the application test suite to ensure the updated parsing logic does not break expected form processing functionality.
  5. Deploy the updated application to all environments.

References

Read the full report for GHSA-V8W9-8MX6-G223 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)