defu: Prototype pollution via `__proto__` key in defaults argument
Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the merged result: import { defu } from 'defu' const userInput = JSON.parse('{"proto":{"isAdmin":true}}') const config = defu(userInput, { isAdmin: false }) config.isAdmin // true — attacker overrides …