CVE-2026-35209: Defu Prototype Pollution Vulnerability (6.1.5)
Platform
nodejs
Component
defu
Fixed in
6.1.5
CVE-2026-35209 describes a prototype pollution vulnerability found in the 'defu' JavaScript library. This occurs when unsanitized user input, such as parsed JSON or database records, is passed to the `defu()` function, allowing attackers to manipulate object prototypes. Successful exploitation can lead to unexpected behavior and potential privilege escalation within applications relying on default values. The vulnerability affects versions of defu prior to 6.1.5, and a patch is now available.
How to fix
Actualiza la librería 'defu' a la versión 6.1.5 o superior para mitigar la vulnerabilidad de contaminación de prototipos. Esto se soluciona reemplazando `Object.assign({}, defaults)` con object spread (`{ ...defaults }`), que evita la invocación del setter `__proto__`.Frequently asked questions
What is prototype pollution in defu?
Prototype pollution in defu occurs when an attacker can modify the prototype of JavaScript objects, potentially overriding intended default values. This is achieved by crafting a malicious payload containing a `__proto__` key, which is then processed by the `defu()` function without proper sanitization.
Am I affected by CVE-2026-35209?
You are affected if you are using a version of the 'defu' library prior to 6.1.5 and are passing unsanitized user input as the first argument to the `defu()` function. Carefully review your code for potential vulnerabilities.
How do I fix this vulnerability?
Upgrade to version 6.1.5 or later of the 'defu' library. This version includes a fix that prevents prototype pollution by properly sanitizing user input before processing it with the `defu()` function.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free