Description
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Recommendation
Update the billboard.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.15.1
- Patched version(s): 3.15.1
References
Related Issues
- tarteaucitron.js allows prototype pollution via custom text injection - CVE-2025-31475
- `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
- Tags:
- npm
- billboard.js
Anything's wrong? Let us know Last updated on July 29, 2025