10 matches found
CVE-2026-35209
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
CVE-2026-35209
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...
CVE-2026-35209
CVE-2026-35209 affects defu, a recursive defaults merger. Before v6.1.5, the vulnerable code path uses Object.assign({}, defaults) in _defu, which can trigger the proto setter and pollute the Object prototype, allowing attacker-controlled values to appear in the final result. The vulnerability ar...
defu: Prototype pollution via `__proto__` key in defaults argument
Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...
GHSA-737V-MQG7-C878 defu: Prototype pollution via `__proto__` key in defaults argument
Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...
PT-2026-30321
Name of the Vulnerable Software and Affected Versions defu versions prior to 6.1.5 Description Applications using the defu software are susceptible to prototype pollution when processing unsanitized user input, such as parsed JSON request bodies, database records, or config files from untrusted...
Malicious Package
Overview prefer-object-spread is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious code in prefer-object-spread (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-49033 Malicious code in prefer-object-spread (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
EUVD-2025-36863
Malicious code in prefer-object-spread npm...