GHSA-737v-mqg7-c878
Suggest an improvement- Source
- https://github.com/advisories/GHSA-737v-mqg7-c878
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-737v-mqg7-c878/GHSA-737v-mqg7-c878.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-737v-mqg7-c878
- Aliases
-
- CVE-2026-35209
- Published
- 2026-04-04T06:17:53Z
- Modified
- 2026-04-04T06:31:29.180552Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- defu: Prototype pollution via `__proto__` key in defaults argument
- Details
-
Impact
Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to
defu()are vulnerable to prototype pollution.A crafted payload containing a
__proto__key can override intended default values in the merged result:import { defu } from 'defu' const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}') const config = defu(userInput, { isAdmin: false }) config.isAdmin // true — attacker overrides the server defaultRoot Cause
The internal
_defufunction usedObject.assign({}, defaults)to copy the defaults object.Object.assigninvokes the__proto__setter, which replaces the resulting object's[[Prototype]]with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing__proto__key guard in thefor...inloop and land in the final result.Fix
Replace
Object.assign({}, defaults)with object spread ({ ...defaults }), which uses[[DefineOwnProperty]]and does not invoke the__proto__setter.Affected Versions
<= 6.1.4
Credits
Reported by @BlackHatExploitation
- Database specific
{ "cwe_ids": [ "CWE-1321" ], "severity": "HIGH", "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2026-04-04T06:17:53Z" }- References
Affected packages
npm / defu
Package
- Name
- defu
- View open source insights on deps.dev
- Purl
- pkg:npm/defu