Defu Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the Defu library, affecting versions through 6.1.4. The issue arises when applications pass unsanitized user input, such as parsed JSON request bodies or database records, as the first argument to the Defu function. A crafted payload containing a '__proto__' key can manipulate default values in the merged result. The vulnerability exploits the internal '_defu' function, which originally used 'Object.assign' to copy default properties. This method triggers the '__proto__' setter, allowing attacker-controlled values to overwrite the object's prototype, bypassing safeguards and altering the final output.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into an object's prototype, potentially leading to unauthorized access or modification of data within the application.

Reproduction

To reproduce this vulnerability, use a version of Defu prior to 6.1.5. Pass a JSON payload as the first argument to the Defu function, including a '__proto__' key with a value that overrides a default property. The injected property will appear in the merged result, demonstrating the successful exploitation of the prototype pollution vulnerability.

Remediation

Users can upgrade to Defu version 6.1.5 or later, where this vulnerability has been patched by changing the method of copying default properties to a technique that does not invoke the '__proto__' setter.