CVE-2026-35209

CVSS v3.1

7.5

High

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact

Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.

A crafted payload containing a proto key can override intended default values in the merged result:

import { defu } from 'defu'

const userInput = JSON.parse('{" proto ":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })

config.isAdmin // true — attacker overrides the server default

Root Cause

The internal defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the proto setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing proto key guard in the for...in loop and land in the final result.

Fix

Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the proto setter.

Affected Versions

<= 6.1.4

Credits

Reported by @BlackHatExploitation

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2026-35209

GHSA-737V-MQG7-C878

Affected Products

Defu

CVE-2026-35209

Impact

Root Cause

Fix

Affected Versions

Credits

Weakness Enumeration

Related Identifiers

Affected Products

References · 3