Nixpkgs security tracker
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
defu: Prototype pollution via `__proto__` key in defaults argument
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged resul. The internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object's `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result. Version 6.1.5 replaces `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.
References
-
https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878 x_refsource_CONFIRM
-
https://github.com/unjs/defu/pull/156 x_refsource_MISC
-
https://github.com/unjs/defu/releases/tag/v6.1.5 x_refsource_MISC
Affected products
- ==< 6.1.5
Matching in nixpkgs
pkgs.defuddle-cli
Command line utility to extract clean html, markdown and metadata from web pages
pkgs.haskellPackages.defun
Defunctionalization helpers
pkgs.kodiPackages.defusedxml
defusing XML bombs and other exploits
-
nixos-unstable 0.6.0+matrix.1
- nixpkgs-unstable 0.6.0+matrix.1
- nixos-unstable-small 0.6.0+matrix.1
-
nixos-25.11 0.6.0+matrix.1
- nixos-25.11-small 0.6.0+matrix.1
- nixpkgs-25.11-darwin 0.6.0+matrix.1
pkgs.haskellPackages.defun-sop
Defunctionalization helpers: lists
pkgs.haskellPackages.defun-bool
Defunctionalization helpers: booleans
pkgs.haskellPackages.defun-core
Defunctionalization helpers: core definitions
pkgs.python312Packages.defusedcsv
Python library to protect your users from Excel injections in CSV-format exports, drop-in replacement for standard library's csv module
pkgs.python312Packages.defusedxml
Python module to defuse XML issues
pkgs.python313Packages.defusedcsv
Python library to protect your users from Excel injections in CSV-format exports, drop-in replacement for standard library's csv module
pkgs.python313Packages.defusedxml
Python module to defuse XML issues
pkgs.python314Packages.defusedcsv
Python library to protect your users from Excel injections in CSV-format exports, drop-in replacement for standard library's csv module
pkgs.python314Packages.defusedxml
Python module to defuse XML issues
Package maintainers
-
@sephalon Stefan Wiehler <me@sephalon.net>
-
@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@edwtjo Edward Tjörnhammar <ed@cflags.cc>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>
-
@cpages Carles Pagès <page@ruiec.cat>
-
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>