Platform
nodejs
Component
defu
Fixed in
6.1.6
6.1.5
CVE-2026-35209 describes a prototype pollution vulnerability discovered in the defu Node.js package. This flaw allows attackers to manipulate application behavior by overriding default values through crafted payloads. The vulnerability impacts versions of defu prior to 6.1.5 and a fix has been released. Proper input sanitization is crucial to mitigate this risk.
Prototype pollution occurs when an attacker can modify the prototype of JavaScript objects, effectively altering the behavior of all objects inheriting from that prototype. In the context of defu, an attacker can inject a proto key into user-supplied data (like JSON request bodies or configuration files) and pass it to the defu() function. This allows them to override intended default values, potentially granting unauthorized access or modifying application logic. For example, an attacker could set isAdmin: true to bypass access controls. The blast radius extends to any part of the application relying on the defu function and its default values, making it a significant security concern.
This vulnerability was publicly disclosed on 2026-04-04. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential impact make it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35209 is to upgrade to defu version 6.1.5 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, implement strict input sanitization on any user-supplied data passed to defu(). This involves validating and filtering input to prevent the injection of malicious proto payloads. Consider using a dedicated input validation library to ensure comprehensive protection. Additionally, review application code that utilizes defu to identify potential areas where prototype pollution could be exploited. After upgrading, confirm the fix by attempting to trigger the prototype pollution vulnerability with a crafted payload and verifying that the default values are not overridden.
Update the 'defu' library to version 6.1.5 or higher to mitigate the prototype pollution vulnerability. This is resolved by replacing `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which avoids the invocation of the `__proto__` setter.Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35209 is a HIGH severity prototype pollution vulnerability in the defu Node.js package, allowing attackers to override default values through crafted payloads.
You are affected if you are using defu versions prior to 6.1.5 and pass unsanitized user input to the defu() function.
Upgrade to defu version 6.1.5 or later. If upgrading is not possible, implement strict input sanitization on any user-supplied data passed to defu().
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the defu project's repository and associated release notes for the official advisory and details on the fix.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.