CVE-2026-35209

Name of the Vulnerable Software and Affected Versions defu versions prior to 6.1.5

Description Applications using the defu software are susceptible to prototype pollution when processing unsanitized user input, such as parsed JSON request bodies, database records, or config files from untrusted sources. A crafted payload containing a proto key can override default values in the merged result. The internal defu function previously used Object.assign({}, defaults), which invokes the proto setter, allowing attacker-controlled values to replace the object's prototype. This allows properties inherited from the polluted prototype to bypass existing safeguards and appear in the final result. The vulnerability is addressed by replacing Object.assign({}, defaults) with object spread ({ ...defaults }), which avoids invoking the proto setter.

Recommendations Update to version 6.1.5 or later.