Blackhatexploitation

Name of the Vulnerable Software and Affected Versions defu versions prior to 6.1.5 Description Applications using the `defu` software are susceptible to prototype pollution when processing unsanitized user input, such as parsed JSON request bodies, database records, or config files from untrusted sources. A crafted payload containing a ` proto ` key can override default values in the merged result. The internal ` defu` function previously used `Object.assign({}, defaults)`, which invokes the ` proto ` setter, allowing attacker-controlled values to replace the object's prototype. This allows properties inherited from the polluted prototype to bypass existing safeguards and appear in the final result. The vulnerability is addressed by replacing `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which avoids invoking the ` proto ` setter. Recommendations Update to version 6.1.5 or later.