Description
Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.
Problem types
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Product status
Any version before 4.12.7
4.12.7 (semver)
Credits
0xkakash1
References
github.com/...s/hono/security/advisories/GHSA-v8w9-8mx6-g223 (GitHub Security Advisory (GHSA-v8w9-8mx6-g223))
www.vulncheck.com/...-proto-key-in-parsebody-with-dot-option (VulnCheck Advisory: Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option)