GHSA-v8w9-8mx6-g223: Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true })

March 11, 2026

When using parseBody({ dot: true }) in HonoRequest, specially crafted form field names such as __proto__.x could create objects containing a __proto__ property.

If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.

References

github.com/advisories/GHSA-v8w9-8mx6-g223
github.com/honojs/hono
github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe
github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223

Code Behaviors & Features

Detect and mitigate GHSA-v8w9-8mx6-g223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →