DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35209: CVE-2026-35209: Prototype Pollution in unjs/defu via Object.assign

#security #cve #cybersecurity

CVE-2026-35209: Prototype Pollution in unjs/defu via Object.assign

Vulnerability ID: CVE-2026-35209
CVSS Score: 7.5
Published: 2026-04-04

The defu library, a popular utility for recursively assigning default properties, contains a prototype pollution vulnerability prior to version 6.1.5. Applications passing unsanitized user input as the primary argument to the defu() function permit attackers to override object properties via crafted JSON payloads, leading to configuration injection or potential application logic bypass.

TL;DR

A flaw in defu < 6.1.5 allows prototype pollution via Object.assign() when merging unsanitized user input containing proto keys, enabling attackers to alter default application properties.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • CVSS Score: 7.5
  • Attack Vector: Network
  • Impact: High Integrity
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications processing untrusted JSON with defu
  • Web applications using defu for configuration merging
  • defu: < 6.1.5 (Fixed in: 6.1.5)

Code Analysis

Commit: 3942bfb

Fix prototype pollution vulnerability by replacing Object.assign with spread operator and restricting iteration to Object.keys.

--- a/src/defu.ts
+++ b/src/defu.ts
-  const object = Object.assign({}, defaults);
+  const object = { ...defaults };

-  for (const key in baseObject) {
+  for (const key of Object.keys(baseObject as Record<string, any>)) {
     if (key === "__proto__" || key === "constructor") {
       continue;
     }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Proof of Concept: Demonstrates overriding application properties by passing a crafted JSON string to JSON.parse and then to defu.

Mitigation Strategies

  • Update library dependencies to patched versions
  • Implement strict input validation and sanitization using schema validators
  • Freeze the global object prototype in sensitive runtime environments

Remediation Steps:

  1. Identify all projects utilizing the defu library via dependency trees.
  2. Execute npm install defu@latest to upgrade to version 6.1.5 or newer.
  3. Audit codebases for usage patterns where user input is passed directly to defu().
  4. Implement middleware to strip __proto__ and constructor keys from incoming JSON payloads.
  5. Add Object.freeze(Object.prototype); at the application entry point if global prototype mutability is not required.

References

Read the full report for CVE-2026-35209 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)