Description
Affected versions of plotly.js are vulnerable to cross-site scripting if an attacker can convince a user to visit a malicious plot on a site using this package.
Recommendation
Update the plotly.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.16.0
- Patched version(s): 1.16.0
References
- GHSA-2fqv-h3r5-m4vf
- acloudtree.com
- www.npmjs.com
- help.plot.ly
- CVE-2017-1000006
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- devalue prototype pollution vulnerability - CVE-2025-57820
- js-toml Prototype Pollution Vulnerability - CVE-2025-54803
- Tags:
- npm
- plotly.js
Anything's wrong? Let us know Last updated on January 09, 2023