Prototype Pollution Vulnerability in Defu Software from UnJS
CVE-2026-35209

7.5HIGH

Key Information:

Vendor

Unjs

Status
Defu
Vendor
CVE Published:
6 April 2026

What is CVE-2026-35209?

Defu software allows users to assign default properties recursively. Prior to version 6.1.5, Defu was vulnerable to prototype pollution when unsanitized user input was passed as the first argument to the defu() function. This exposure allows an attacker to craft a payload with a __proto__ key, enabling them to override intended default values in the merged result. The use of Object.assign({}, defaults) within the internal _defu function was particularly risky, as it invoked the __proto__ setter and allowed the resulting object's prototype to be controlled by the attacker. Consequently, properties inherited from the polluted prototype could bypass existing security checks, including the key guard in for...in loops. The vulnerability was mitigated in version 6.1.5, which replaced the vulnerable method with object spread syntax, effectively preventing the invocation of the __proto__ setter.

Affected Version(s)

defu < 6.1.5

References

https://github.com/unjs/defu/security/advisories/GHSA-737...
x_refsource_CONFIRM
https://github.com/unjs/defu/pull/156
x_refsource_MISC
https://github.com/unjs/defu/commit/3942bfbbcaa72084bd428...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.