Skip to main content

Prototype Pollution CVE-2026-35209

HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-04 https://github.com/unjs/defu GHSA-737v-mqg7-c878
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 23:52 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:30 vuln.today
CVE Published
Apr 04, 2026 - 06:17 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 13 npm packages depend on defu (10 direct, 3 indirect)

Ecosystem-wide dependent count for version 6.1.5.

DescriptionGitHub Advisory

Impact

Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.

A crafted payload containing a __proto__ key can override intended default values in the merged result:

js
import { defu } from 'defu'

const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })

config.isAdmin // true - attacker overrides the server default

Root Cause

The internal _defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the __proto__ setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing __proto__ key guard in the for...in loop and land in the final result.

Fix

Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.

Affected Versions

<= 6.1.4

Credits

Reported by @BlackHatExploitation

AnalysisAI

Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No active exploitation confirmed (not in CISA KEV), but public proof-of-concept exists in the GitHub advisory demonstrating admin privilege escalation.

Technical ContextAI

The defu library is a popular JavaScript object merging utility used in Node.js applications for configuration management and default value assignment. The vulnerability stems from the internal _defu function's use of Object.assign({}, defaults) to shallow-copy the defaults object. Object.assign invokes property setters during assignment, including the special __proto__ setter which modifies an object's prototype chain. When an attacker supplies input containing {"__proto__":{"isAdmin":true}}, Object.assign triggers the __proto__ setter, polluting the resulting object's prototype. Although defu contained a for...in loop guard to skip __proto__ keys, properties inherited from the polluted prototype bypass this check and appear in the final merged result. This is a classic manifestation of CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. The affected package (pkg:npm/defu) is widely used in the JavaScript ecosystem, particularly in frameworks like Nuxt.js and other unjs projects for configuration merging.

RemediationAI

Upgrade defu to version 6.1.5 or later, which replaces Object.assign({}, defaults) with object spread syntax ({...defaults}) to prevent __proto__ setter invocation during object copying. The fix is available through standard npm package managers: run npm update defu, yarn upgrade defu, or pnpm update defu depending on your package manager, then verify package.json and lockfiles reflect version >6.1.4. For applications unable to upgrade immediately, implement input sanitization by removing __proto__, constructor, and prototype keys from user-controlled objects before passing to defu(), or use object freezing (Object.freeze) on default configuration objects. Code review should identify all defu() call sites where the first argument originates from external sources (req.body, database queries, file uploads) and prioritize those for remediation. Consult the official GitHub security advisory at https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878 for additional mitigation guidance and https://github.com/advisories/GHSA-737v-mqg7-c878 for ecosystem-wide impact details. Post-upgrade testing should verify that configuration merging behavior remains consistent while blocking prototype pollution attempts.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-35209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy