CVE-2026-35209
defu: Prototype pollution via `__proto__` key in defaults argument
Description
### Impact Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged result: ```js import { defu } from 'defu' const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}') const config = defu(userInput, { isAdmin: false }) config.isAdmin // true — attacker overrides the server default ``` ### Root Cause The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. ### Fix Replace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter. ### Affected Versions <= 6.1.4 ### Credits Reported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)
How to fix CVE-2026-35209
To remediate CVE-2026-35209, upgrade the affected package to a fixed version below.
- —upgrade to 6.1.5 or later
Is CVE-2026-35209 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 6.1.5