CVE-2026-35209
defu: Prototype pollution via `__proto__` key in defaults argument
描述
### Impact Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged result: ```js import { defu } from 'defu' const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}') const config = defu(userInput, { isAdmin: false }) config.isAdmin // true — attacker overrides the server default ``` ### Root Cause The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. ### Fix Replace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter. ### Affected Versions <= 6.1.4 ### Credits Reported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)
如何修補 CVE-2026-35209
要修補 CVE-2026-35209,請將受影響套件升級到下列已修補版本。
- —升級至 6.1.5 或更新版本
CVE-2026-35209 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 6.1.5
CVSS 分數
| 來源 |
|---|