Sign In

GHSA-v8w9-8mx6-g223

ADVISORY - github

Summary

Summary

When using parseBody({ dot: true }) in HonoRequest, specially crafted form field names such as __proto__.x could create objects containing a __proto__ property.

If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.

Details

The parseBody({ dot: true }) feature supports dot notation to construct nested objects from form field names.

In previous versions, the __proto__ path segment was not filtered. As a result, specially crafted keys such as __proto__.x could produce objects containing __proto__ properties.

While this behavior does not directly modify Object.prototype within Hono itself, it may become exploitable if the parsed result is later merged into regular JavaScript objects using unsafe merge patterns.

Impact

Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-v8w9-8mx6-g223
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1321

CVSS SCORE

4.8medium