Prototype Pollution
CVE-2026-35209
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 13 npm packages depend on defu (10 direct, 3 indirect)
Ecosystem-wide dependent count for version 6.1.5.
DescriptionGitHub Advisory
Impact
Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.
A crafted payload containing a __proto__ key can override intended default values in the merged result:
import { defu } from 'defu'
const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })
config.isAdmin // true - attacker overrides the server defaultRoot Cause
The internal _defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the __proto__ setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing __proto__ key guard in the for...in loop and land in the final result.
Fix
Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.
Affected Versions
<= 6.1.4
Credits
Reported by @BlackHatExploitation
AnalysisAI
Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No active exploitation confirmed (not in CISA KEV), but public proof-of-concept exists in the GitHub advisory demonstrating admin privilege escalation.
Technical ContextAI
The defu library is a popular JavaScript object merging utility used in Node.js applications for configuration management and default value assignment. The vulnerability stems from the internal _defu function's use of Object.assign({}, defaults) to shallow-copy the defaults object. Object.assign invokes property setters during assignment, including the special __proto__ setter which modifies an object's prototype chain. When an attacker supplies input containing {"__proto__":{"isAdmin":true}}, Object.assign triggers the __proto__ setter, polluting the resulting object's prototype. Although defu contained a for...in loop guard to skip __proto__ keys, properties inherited from the polluted prototype bypass this check and appear in the final merged result. This is a classic manifestation of CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. The affected package (pkg:npm/defu) is widely used in the JavaScript ecosystem, particularly in frameworks like Nuxt.js and other unjs projects for configuration merging.
RemediationAI
Upgrade defu to version 6.1.5 or later, which replaces Object.assign({}, defaults) with object spread syntax ({...defaults}) to prevent __proto__ setter invocation during object copying. The fix is available through standard npm package managers: run npm update defu, yarn upgrade defu, or pnpm update defu depending on your package manager, then verify package.json and lockfiles reflect version >6.1.4. For applications unable to upgrade immediately, implement input sanitization by removing __proto__, constructor, and prototype keys from user-controlled objects before passing to defu(), or use object freezing (Object.freeze) on default configuration objects. Code review should identify all defu() call sites where the first argument originates from external sources (req.body, database queries, file uploads) and prioritize those for remediation. Consult the official GitHub security advisory at https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878 for additional mitigation guidance and https://github.com/advisories/GHSA-737v-mqg7-c878 for ecosystem-wide impact details. Post-upgrade testing should verify that configuration merging behavior remains consistent while blocking prototype pollution attempts.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-737v-mqg7-c878