CVE-2026-35209: defu Prototype Pollution Vulnerability
Plattform
nodejs
Komponente
defu
Behoben in
6.1.5
CVE-2026-35209 describes a prototype pollution vulnerability affecting the `defu` package. The vulnerability arises when applications pass unsanitized user input as the first argument to the `defu()` function. A crafted payload containing a `__proto__` key can override intended default values in the merged result, leading to unexpected behavior or security implications. This issue is resolved in version 6.1.5.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-35209?
CVE-2026-35209 is a prototype pollution vulnerability in the defu package that allows attackers to modify the prototype of JavaScript objects by injecting a `__proto__` property.
Am I affected by CVE-2026-35209?
You are affected if you are using a version of defu prior to 6.1.5 and passing unsanitized user input to the defu() function. This can lead to unintended modifications of object prototypes.
How do I fix CVE-2026-35209?
Upgrade to defu version 6.1.5 or later. This version includes a fix that prevents prototype pollution by sanitizing user input before merging it with default values.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten