14 matches found
ROOT-APP-NPM-CVE-2026-35209 CVE-2026-35209 in @rootio/defu - Patched by Root
Root has patched CVE-2026-35209 in the @rootio/defu package for Root:npm. Multiple fixed versions available...
CVE-2026-35209
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
CVE-2026-35209
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
CVE-2026-35209
CVE-2026-35209 affects defu, a recursive defaults merger. Before v6.1.5, the vulnerable code path uses Object.assign({}, defaults) in _defu, which can trigger the proto setter and pollute the Object prototype, allowing attacker-controlled values to appear in the final result. The vulnerability ar...
CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
defu 安全漏洞
Defu is a lightweight tool library developed by UnJS for recursively merging default values. Versions of Defu prior to 6.1.5 contained security vulnerabilities; these vulnerabilities stemmed from the practice of passing uncleaned user input into the Defu functions, which could lead to prototype...
Prototype Pollution
Overview defu is a Recursively assign default properties. Lightweight and Fast! Affected versions of this package are vulnerable to Prototype Pollution via the defu function. An attacker can override default configuration values by supplying crafted input containing a proto key, which results in...
@2digits/oxfmt-config (=0.3.0), @2digits/oxlint-config (>=0.0.1 <=0.4.0) +510 more potentially affected by CVE-2026-35209 via defu (>=6.0.0 <=6.1.4)
defu NPM version =6.0.0, =0.0.1, =0.0.3, =1.0.0, =0.1.22, =0.1.23, =0.1.18, =0.1.24, =0.1.26 and more Source cves: CVE-2026-35209 Source advisory: SNYK:JS-DEFU-15914644...
defu: Prototype pollution via `__proto__` key in defaults argument
Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...
org.webjars.npm:listhen (=1.0.1), org.webjars.npm:radix-vue (=1.9.17) +5 more potentially affected by CVE-2026-35209 via org.webjars.npm:defu (=6.1.4)
org.webjars.npm:defu MAVEN version =6.1.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:defu and may be impacted: - org.webjars.npm:listhen =1.0.1 - org.webjars.npm:radix-vue =1.9.17 - org.webjars.npm:rc9 =2.0.0, =0.52.1, =0.52.3 Sour...
GHSA-737V-MQG7-C878 defu: Prototype pollution via `__proto__` key in defaults argument
Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...
Prototype Pollution
Overview org.webjars.npm:defu is a Recursively assign default properties. Lightweight and Fast! Affected versions of this package are vulnerable to Prototype Pollution via the defu function. An attacker can override default configuration values by supplying crafted input containing a proto key,...
PT-2026-30321
Name of the Vulnerable Software and Affected Versions defu versions prior to 6.1.5 Description Applications using the defu software are susceptible to prototype pollution when processing unsanitized user input, such as parsed JSON request bodies, database records, or config files from untrusted...