CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Apr 06, 2026

CVE-2026-35209 | unjs defu up to 6.1.4 prototype pollution (GHSA-737v-mqg7-c878)

VulDB Archived Apr 06, 2026 ✓ Full text saved

A vulnerability identified as problematic has been detected in unjs defu up to 6.1.4 . This issue affects the function defu . Performing a manipulation results in improperly controlled modification of object prototype attributes. This vulnerability was named CVE-2026-35209 . The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

Full text archived locally
✦ AI Summary · Claude Sonnet

    VDB-355624 · CVE-2026-35209 · GHSA-737V-MQG7-C878 UNJS DEFU UP TO 6.1.4 PROTOTYPE POLLUTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 0.35+ Summaryinfo A vulnerability labeled as problematic has been found in unjs defu up to 6.1.4. Impacted is the function defu. Executing a manipulation can lead to prototype pollution. The identification of this vulnerability is CVE-2026-35209. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded. Detailsinfo A vulnerability was found in unjs defu up to 6.1.4. It has been declared as problematic. This vulnerability affects the function defu. The manipulation with an unknown input leads to a prototype pollution vulnerability. The CWE definition for the vulnerability is CWE-1321. The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. As an impact it is known to affect integrity. CVE summarizes: defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged resul. The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. Version 6.1.5 replaces `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter. The advisory is shared for download at github.com. This vulnerability was named CVE-2026-35209 since 04/01/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059. Upgrading to version 6.1.5 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 3942bfbbcaa72084bd4284846c83bd61ed7c8b29 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Vendor unjs Name defu Version 6.1.0 6.1.1 6.1.2 6.1.3 6.1.4 License open-source Website Product: https://github.com/unjs/defu/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Prototype pollution CWE: CWE-1321 / CWE-94 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: defu 6.1.5 Patch: 3942bfbbcaa72084bd4284846c83bd61ed7c8b29 Timelineinfo 04/01/2026 CVE reserved 04/06/2026 +5 days Advisory disclosed 04/06/2026 +0 days VulDB entry created 04/06/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-737v-mqg7-c878 Status: Confirmed CVE: CVE-2026-35209 (🔒) GCVE (CVE): GCVE-0-2026-35209 GCVE (VulDB): GCVE-100-355624 Entryinfo Created: 04/06/2026 21:21 Changes: 04/06/2026 21:21 (67) Complete: 🔍 Cache ID: 99:8FB:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸
    💬 Team Notes
    Article Info
    Source
    VulDB
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Apr 06, 2026
    Archived
    Apr 06, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗