CVE-2026-35209

HIGH EPSS 31.6%
Published Apr 6, 20262mo ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Apr 6, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged resul. The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. Version 6.1.5 replaces `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
31.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1321

Affected Products 1

VendorProductVersionRange
unjsdefu* <6.1.5

References 4

  • github.com https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29
    Patch
  • github.com https://github.com/unjs/defu/pull/156
    Issue TrackingPatch
  • github.com https://github.com/unjs/defu/releases/tag/v6.1.5
    Release Notes
  • github.com https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29
    Patch
  • github.com https://github.com/unjs/defu/pull/156
    Issue TrackingPatch