Description
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged resul. The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. Version 6.1.5 replaces `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.
Published: 2026-04-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype pollution enabling unintended property injection
Action: Patch Now
AI Analysis

Impact

defu allows developers to merge default values into objects recursively. Before version 6.1.5, an attacker could send a payload containing a __proto__ key as part of the defaults argument. The library copied defaults with Object.assign, which triggered the __proto__ setter and replaced the prototype of the result object. This prototype pollution can allow attackers to inject arbitrary properties into the Object.prototype, potentially affecting all objects created thereafter and leading to logic bypasses or other unintended behavior.

Affected Systems

The affected product is the JavaScript library defu, maintained by unjs. All releases prior to 6.1.5 are vulnerable. Applications that use defu to merge user supplied data, such as parsed JSON bodies or configuration files from untrusted sources, are at risk unless they have removed the ability to pass raw user data to defu.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high potential for severe impact if exploited. The CVE is not listed in KEV and no EPSS score is available. Attacks would require sending crafted input to a defu invocation, which is likely possible via an HTTP endpoint or configuration import. Once the prototype is polluted, any subsequent object created in the same process can inherit the injected properties, allowing attackers to alter runtime behavior or bypass security checks.

Generated by OpenCVE AI on April 6, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update defu to version 6.1.5 or newer.
  • Verify that all inputs to defu() are sanitized or derived from trusted sources.
  • Review application code for other prototype pollution risks.

Generated by OpenCVE AI on April 6, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-737v-mqg7-c878 defu: Prototype pollution via `__proto__` key in defaults argument
History

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Unjs
Unjs defu
Vendors & Products Unjs
Unjs defu

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged resul. The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. Version 6.1.5 replaces `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.
Title defu: Prototype pollution via `__proto__` key in defaults argument
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Unjs Defu
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:49:29.040Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35209

cve-icon Vulnrichment

Updated: 2026-04-06T18:49:25.733Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T18:16:44.157

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:39:13Z

Weaknesses