Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network delivery via HTTP form body, but high complexity due to non-default dot:true config and unsafe merge precondition both required; no authentication or user interaction needed; limited C and I impact, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 77 npm packages depend on hono (63 direct, 14 indirect)
Ecosystem-wide dependent count for version 4.12.7.
DescriptionCVE.org
Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.
AnalysisAI
Prototype pollution in Hono before 4.12.7 enables unauthenticated remote attackers to inject properties into JavaScript's Object.prototype by submitting crafted form field names containing '__proto__' keys when the 'dot' option is enabled in parseBody. Exploitation is conditional - it further requires that application code merges parsed body output into plain JavaScript objects using unsafe merge patterns - but when both conditions are present, attackers can silently alter inherited object behavior across the entire runtime, potentially bypassing authorization checks or leaking sensitive data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three concurrent conditions must be present for exploitation: (1) the target Hono route must call parseBody with the 'dot' option explicitly set to true - this is a non-default setting that must be deliberately opted into by the developer; (2) the application must pass the parsed body result into a plain JavaScript object merge using an unsafe pattern such as recursive Object.assign, lodash _.merge, or an equivalent custom deep-merge function that does not filter '__proto__'; and (3) the attacker must be able to send HTTP requests with attacker-controlled form body content to that endpoint (Content-Type: application/x-www-form-urlencoded or multipart/form-data). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N) accurately encodes the dual constraints limiting real-world exploitability: high attack complexity and a specific attack prerequisite (AT:P) requiring both the non-default dot:true parseBody configuration AND an unsafe downstream merge pattern in application code. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits an HTTP POST request with Content-Type application/x-www-form-urlencoded to a Hono endpoint that calls parseBody with { dot: true }, encoding a field such as '__proto__[isAdmin]=true' in the body. Hono deserializes this into a nested object with a __proto__ property, and when the application merges the result using an unsafe deep merge, Object.prototype.isAdmin becomes true for all plain objects in the process - causing downstream authorization checks like 'if (user.isAdmin)' to pass for any user. … |
| Remediation | Upgrade Hono to version 4.12.7 or later, which patches '__proto__' key handling in the parseBody function per the vendor advisory at https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43173
GHSA-3wcj-gjvf-fvch