CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...

CVE-2026-35209

CVE-2026-35209 affects defu, a recursive defaults merger. Before v6.1.5, the vulnerable code path uses Object.assign({}, defaults) in _defu, which can trigger the proto setter and pollute the Object prototype, allowing attacker-controlled values to appear in the final result. The vulnerability ar...

CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...

GHSA-737V-MQG7-C878 defu: Prototype pollution via `__proto__` key in defaults argument

Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...