billboard.js allows prototype pollution via the function generate

Severity:: High

Description

billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Recommendation

Update the billboard.js package to the latest compatible version. Followings are version details:

Affected version(s): < 3.15.1
Patched version(s): 3.15.1

References

GHSA-65p9-j6pg-72hj
cve.naver.com
CVE-2025-49223
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

tarteaucitron.js allows prototype pollution via custom text injection - CVE-2025-31475
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
Vue I18n Allows Prototype Pollution in `handleFlatJson` - @intlify/core-base - CVE-2025-27597
Vue I18n Allows Prototype Pollution in `handleFlatJson` - @intlify/core - CVE-2025-27597

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; billboard.js

Anything's wrong? Let us know Last updated on July 29, 2025