CVE-2026-35209

HIGH
2026-04-04 https://github.com/unjs/defu GHSA-737v-mqg7-c878
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:30 vuln.today
CVE Published
Apr 04, 2026 - 06:17 nvd
HIGH 7.5

Tags

Prototype Pollution Authentication Bypass

Description

### Impact Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged result: ```js import { defu } from 'defu' const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}') const config = defu(userInput, { isAdmin: false }) config.isAdmin // true - attacker overrides the server default ``` ### Root Cause The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. ### Fix Replace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter. ### Affected Versions <= 6.1.4 ### Credits Reported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)

Analysis

Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all applications using defu ≤6.1.4 via software composition analysis (SCA) tools and audit code for usage patterns merging untrusted data. Within 7 days: Evaluate upgrade path to defu ≥6.1.5 or newer if available; if unavailable, implement input validation and sanitization to strip __proto__, prototype, and constructor keys from all JSON before defu() operations. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-35209 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy