CVE-2026-56763 in Honoinfo

Summary

by MITRE • 07/11/2026

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/11/2026

This vulnerability exists within the Hono web framework version 4.12.6 and earlier, where the parseBody function with the dot option enabled fails to properly sanitize form field names containing the _proto_ key. The flaw arises from insufficient input validation that allows maliciously crafted form data to include properties named _proto_ which are then processed by the framework's parsing logic. When these parsed results are subsequently merged into regular JavaScript objects using unsafe merge patterns, attackers can leverage this behavior to pollute the prototype of objects within the application's memory space.

The technical implementation of this vulnerability stems from JavaScript's prototype chain mechanism and how the framework handles object merging operations. When form data with _proto_ keys is processed through Hono's parseBody function, the resulting objects inherit these prototype properties that can alter fundamental object behaviors. This occurs because JavaScript's Object.assign() or similar merge operations do not properly handle prototype pollution scenarios, allowing attackers to inject malicious properties into the Object.prototype itself. The vulnerability is particularly dangerous because it enables attackers to modify core JavaScript object methods and properties, potentially leading to arbitrary code execution or bypass of security controls.

The operational impact of this prototype pollution vulnerability extends beyond simple data manipulation, as it can enable a wide range of attacks including but not limited to remote code execution, denial of service conditions, and privilege escalation. An attacker who successfully exploits this vulnerability could modify core JavaScript methods such as toString, valueOf, or other built-in object properties, which would affect the entire application's behavior. This type of vulnerability is classified under CWE-471 as "Modification of Assumed-Immutable Data" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript" where attackers can manipulate object prototypes to achieve their malicious objectives.

The exploitation pattern requires that the vulnerable application uses unsafe merge patterns and has the dot option enabled in its form parsing configuration. Security controls should focus on implementing proper input sanitization at the framework level, specifically by rejecting or filtering out _proto_ keys during form data processing. Organizations should update to Hono version 4.12.7 or later where this vulnerability has been patched through enhanced validation of form field names and improved object merging operations that prevent prototype pollution. Additionally, defensive programming practices including the use of Object.freeze() on prototype objects, implementing custom merge functions that exclude prototype properties, and employing strict content-type validation for form submissions can mitigate the risk associated with similar vulnerabilities in other frameworks.

Responsible

VulnCheck

Reservation

06/22/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!