Description
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Recommendation
Update the billboard.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.15.1
- Patched version(s): 3.15.1
References
Related Issues
- tarteaucitron.js allows prototype pollution via custom text injection - CVE-2025-31475
- jsonic was discovered to contain a prototype pollution via the function empty. - CVE-2024-38993
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- Tags:
- npm
- billboard.js
Anything's wrong? Let us know Last updated on July 29, 2025