CVE-2026-35209 Overview
CVE-2026-35209 is a prototype pollution vulnerability in defu, a JavaScript library that allows users to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (such as parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to the defu() function are vulnerable to prototype pollution attacks.
A crafted payload containing a __proto__ key can override intended default values in the merged result, allowing attackers to inject malicious properties into JavaScript objects throughout the application. This vulnerability is classified as CWE-1321 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Attackers can manipulate object prototypes to bypass security controls, inject malicious properties, or cause application instability through prototype pollution via unsanitized input to the defu() function.
Affected Products
- defu versions prior to 6.1.5
- Applications using defu() with unsanitized user input as the first argument
- Node.js applications processing untrusted JSON, database records, or configuration files
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35209 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35209
Vulnerability Analysis
This prototype pollution vulnerability exists in the internal _defu function of the defu library. The core issue stems from how JavaScript handles property assignment when using Object.assign() versus object spread syntax.
The vulnerable code used Object.assign({}, defaults) to copy the defaults object. When Object.assign encounters a __proto__ key in the source object, it invokes the __proto__ setter on the target object, which replaces the resulting object's [[Prototype]] with attacker-controlled values.
Properties inherited from the polluted prototype can then bypass the existing __proto__ key guard in the for...in loop and land in the final result, effectively allowing attackers to inject arbitrary properties into all objects that inherit from the polluted prototype.
Root Cause
The root cause is the use of Object.assign({}, defaults) to copy default objects. Object.assign treats __proto__ as a regular property assignment, which triggers the prototype setter and allows modification of the object's prototype chain. While the library included a guard in its for...in loop to skip __proto__ and constructor keys, this protection was bypassed because the prototype pollution occurred during the Object.assign operation before the loop executed.
Attack Vector
An attacker can exploit this vulnerability by providing malicious input containing a __proto__ key to any application that passes unsanitized data to the defu() function. Common attack vectors include:
- Malicious JSON payloads in HTTP request bodies
- Crafted database records containing __proto__ properties
- Untrusted configuration files processed by the application
- Any user-controllable data merged using defu()
The fix in version 6.1.5 replaces Object.assign({}, defaults) with object spread syntax ({ ...defaults }), which uses [[DefineOwnProperty]] internally and does not invoke the __proto__ setter:
return _defu(baseObject, {}, namespace, merger);
}
- const object = Object.assign({}, defaults);
+ const object = { ...defaults };
for (const key in baseObject) {
if (key === "__proto__" || key === "constructor") {
Source: GitHub Commit Update
Detection Methods for CVE-2026-35209
Indicators of Compromise
- Unexpected properties appearing in application objects that were not explicitly defined
- Application behavior changes or security control bypasses without code modifications
- JSON payloads in logs containing __proto__, constructor, or prototype keys
- Error messages indicating unexpected object property access or type mismatches
Detection Strategies
- Implement input validation logging to detect __proto__, constructor, and prototype keys in incoming JSON data
- Monitor application dependencies using software composition analysis (SCA) tools to identify vulnerable defu versions
- Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
- Review code for patterns where user input flows directly into defu() function calls
Monitoring Recommendations
- Enable verbose logging for JSON parsing operations to capture suspicious payloads
- Set up alerts for npm audit warnings related to the defu package
- Monitor for unusual object property access patterns in application performance monitoring (APM) tools
- Implement Content Security Policy (CSP) headers and monitor violations that may indicate exploitation attempts
How to Mitigate CVE-2026-35209
Immediate Actions Required
- Upgrade defu to version 6.1.5 or later immediately
- Audit all code paths where user-controlled data is passed to defu() function calls
- Implement input validation to reject or sanitize objects containing __proto__, constructor, or prototype keys
- Review and update any downstream dependencies that may include vulnerable defu versions
Patch Information
The vulnerability has been patched in defu version 6.1.5. The fix replaces the vulnerable Object.assign({}, defaults) pattern with object spread syntax ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.
For detailed information about the patch, see:
Workarounds
- If immediate upgrade is not possible, implement a wrapper function that sanitizes input objects before passing to defu()
- Use Object.freeze(Object.prototype) as a defense-in-depth measure (may cause compatibility issues with some libraries)
- Validate and filter incoming JSON to remove dangerous keys like __proto__, constructor, and prototype before processing
# Upgrade defu to patched version
npm update defu@6.1.5
# Verify installed version
npm list defu
# Audit for vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
