## Nuxt Server Security Patch: Defu Library Prototype Pollution Vulnerability (CVE-2026-35209) Fixed
A critical prototype pollution vulnerability in the `defu` library, tracked as CVE-2026-35209, has been patched in a recent server update. The flaw, present in `defu` versions 6.1.4 and earlier, could be exploited via a malicious `__proto__` key, potentially allowing attackers to modify an object's prototype and execute arbitrary code or cause a denial of service. This vulnerability triggered a failure in the Trivy security check within the project's continuous integration (CI) pipeline, forcing immediate remediation.

The fix involves an explicit update of the `defu` dependency to the patched version 6.1.5. To enforce this upgrade across the project and its dependencies, a pnpm override has been added to the root `package.json` file. This ensures that all sub-dependencies resolve to the secure version, mitigating the risk of the vulnerability being introduced through indirect dependencies. The primary verification steps for the patch are straightforward: confirming that the Trivy security scan now passes in CI and that the `pnpm-lock.yaml` file correctly locks `defu` to version 6.1.5.

While the patch directly resolves the CI failure, the underlying security implication is significant for any application using the affected `defu` versions. Prototype pollution is a severe JavaScript/Node.js vulnerability that can lead to remote code execution, especially in server-side contexts. This update highlights the continuous pressure on open-source maintainers to respond swiftly to vulnerabilities in foundational utility libraries, which can have cascading security impacts across countless dependent projects and deployments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, npm, server, CVE-2026-35209
- **Credibility**: unverified
- **Published**: 2026-04-08 08:27:02
- **ID**: 54589
- **URL**: https://whisperx.ai/en/intel/54589