Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35209

CVE-2026-35209: defu Prototype Pollution Vulnerability

CVE-2026-35209 is a prototype pollution vulnerability in defu that allows attackers to override object prototypes via crafted __proto__ payloads. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35209 Overview

CVE-2026-35209 is a prototype pollution vulnerability in defu, a JavaScript library that allows users to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (such as parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to the defu() function are vulnerable to prototype pollution attacks.

A crafted payload containing a __proto__ key can override intended default values in the merged result, allowing attackers to inject malicious properties into JavaScript objects throughout the application. This vulnerability is classified as CWE-1321 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Attackers can manipulate object prototypes to bypass security controls, inject malicious properties, or cause application instability through prototype pollution via unsanitized input to the defu() function.

Affected Products

  • defu versions prior to 6.1.5
  • Applications using defu() with unsanitized user input as the first argument
  • Node.js applications processing untrusted JSON, database records, or configuration files

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-35209 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35209

Vulnerability Analysis

This prototype pollution vulnerability exists in the internal _defu function of the defu library. The core issue stems from how JavaScript handles property assignment when using Object.assign() versus object spread syntax.

The vulnerable code used Object.assign({}, defaults) to copy the defaults object. When Object.assign encounters a __proto__ key in the source object, it invokes the __proto__ setter on the target object, which replaces the resulting object's [[Prototype]] with attacker-controlled values.

Properties inherited from the polluted prototype can then bypass the existing __proto__ key guard in the for...in loop and land in the final result, effectively allowing attackers to inject arbitrary properties into all objects that inherit from the polluted prototype.

Root Cause

The root cause is the use of Object.assign({}, defaults) to copy default objects. Object.assign treats __proto__ as a regular property assignment, which triggers the prototype setter and allows modification of the object's prototype chain. While the library included a guard in its for...in loop to skip __proto__ and constructor keys, this protection was bypassed because the prototype pollution occurred during the Object.assign operation before the loop executed.

Attack Vector

An attacker can exploit this vulnerability by providing malicious input containing a __proto__ key to any application that passes unsanitized data to the defu() function. Common attack vectors include:

  • Malicious JSON payloads in HTTP request bodies
  • Crafted database records containing __proto__ properties
  • Untrusted configuration files processed by the application
  • Any user-controllable data merged using defu()

The fix in version 6.1.5 replaces Object.assign({}, defaults) with object spread syntax ({ ...defaults }), which uses [[DefineOwnProperty]] internally and does not invoke the __proto__ setter:

typescript
     return _defu(baseObject, {}, namespace, merger);
   }
 
-  const object = Object.assign({}, defaults);
+  const object = { ...defaults };
 
   for (const key in baseObject) {
     if (key === "__proto__" || key === "constructor") {

Source: GitHub Commit Update

Detection Methods for CVE-2026-35209

Indicators of Compromise

  • Unexpected properties appearing in application objects that were not explicitly defined
  • Application behavior changes or security control bypasses without code modifications
  • JSON payloads in logs containing __proto__, constructor, or prototype keys
  • Error messages indicating unexpected object property access or type mismatches

Detection Strategies

  • Implement input validation logging to detect __proto__, constructor, and prototype keys in incoming JSON data
  • Monitor application dependencies using software composition analysis (SCA) tools to identify vulnerable defu versions
  • Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
  • Review code for patterns where user input flows directly into defu() function calls

Monitoring Recommendations

  • Enable verbose logging for JSON parsing operations to capture suspicious payloads
  • Set up alerts for npm audit warnings related to the defu package
  • Monitor for unusual object property access patterns in application performance monitoring (APM) tools
  • Implement Content Security Policy (CSP) headers and monitor violations that may indicate exploitation attempts

How to Mitigate CVE-2026-35209

Immediate Actions Required

  • Upgrade defu to version 6.1.5 or later immediately
  • Audit all code paths where user-controlled data is passed to defu() function calls
  • Implement input validation to reject or sanitize objects containing __proto__, constructor, or prototype keys
  • Review and update any downstream dependencies that may include vulnerable defu versions

Patch Information

The vulnerability has been patched in defu version 6.1.5. The fix replaces the vulnerable Object.assign({}, defaults) pattern with object spread syntax ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.

For detailed information about the patch, see:

Workarounds

  • If immediate upgrade is not possible, implement a wrapper function that sanitizes input objects before passing to defu()
  • Use Object.freeze(Object.prototype) as a defense-in-depth measure (may cause compatibility issues with some libraries)
  • Validate and filter incoming JSON to remove dangerous keys like __proto__, constructor, and prototype before processing
bash
# Upgrade defu to patched version
npm update defu@6.1.5

# Verify installed version
npm list defu

# Audit for vulnerable dependencies
npm audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.