CVE-2026-56763
Received Received - Intake

Hono Prototype Pollution via __proto__ in parseBody

Vulnerability report for CVE-2026-56763, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hono framework to 4.12.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56763 is a vulnerability in the Hono web framework versions before 4.12.7. It occurs when the parseBody function is used with the dot option enabled, allowing specially crafted form field names containing the __proto__ key to create objects with __proto__ properties.

While Hono itself does not directly modify Object.prototype, if the parsed results are merged into regular JavaScript objects using unsafe merge patterns (such as recursive deep merge utilities), attackers can exploit this to achieve prototype pollution, which means they can modify the behavior of JavaScript objects unexpectedly.

Impact Analysis

This vulnerability can impact applications by allowing attackers to perform prototype pollution, which can lead to unintended or malicious behavior in JavaScript objects.

  • Modification of object behavior leading to potential data integrity issues.
  • Potential confidentiality risks if sensitive data is affected by altered object properties.
  • Unintended application behavior or security bypasses due to manipulated prototypes.

The severity is rated as moderate with CVSS scores ranging from 4.8 to 6.3, indicating a medium-level risk that requires attention especially if unsafe merge patterns are used.

Detection Guidance

Detection of this vulnerability involves identifying usage of the Hono web framework versions prior to 4.12.7 that use the parseBody function with the dot option enabled.

Specifically, you should look for application code or network traffic that includes form field names containing the string '__proto__' or '__proto__.x', which could indicate attempts to exploit prototype pollution.

Since the vulnerability arises when parsed results are merged unsafely into JavaScript objects, detection can also involve reviewing application logs or code for unsafe merge patterns such as recursive deep merge utilities.

No explicit commands are provided in the available resources, but general approaches include:

  • Searching source code for usage of parseBody with the dot option enabled.
  • Monitoring HTTP requests for suspicious form field names containing '__proto__'.
  • Using network traffic inspection tools (e.g., tcpdump, Wireshark) with filters for form data containing '__proto__'.
  • Reviewing application logs for errors or unusual behavior related to object merging.
Mitigation Strategies

The primary mitigation step is to upgrade the Hono framework to version 4.12.7 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, avoid enabling the dot option in the parseBody function to prevent parsing of form field names that could lead to prototype pollution.

Additionally, review and modify any unsafe merge patterns in your application code that combine parsed form data with JavaScript objects, especially recursive deep merge utilities, to ensure they do not allow prototype pollution.

Implement input validation and sanitization to reject or neutralize form field names containing '__proto__' or similar prototype pollution vectors.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56763. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart