Prototype Pollution in chartkick

Description

Affected versions of @polymer/polymer are vulnerable to prototype pollution. The package fails to prevent modification of object prototypes through chart options containing a payload such as {"__proto__": {"polluted": true}}. It is possible to achieve the same results if a chart loads data from a malicious server.

Recommendation

Update the chartkick package to the latest compatible version. Followings are version details:

• Affected version(s): >= 3.1.0, <= 3.1.3
• Patched version(s): 3.2.0

References

• GHSA-5pm8-492c-92p5
• chartkick.com
• rubygems.org
• CVE-2019-18841
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in lodash - lodash - GHSA-jf85-cpcp-j695 - CVE-2019-10744
• Prototype Pollution in lodash - lodash.defaultsdeep - CVE-2019-10744
• Prototype Pollution in lodash - lodash-es - GHSA-jf85-cpcp-j695 - CVE-2019-10744
• angular Prototype Pollution vulnerability - CVE-2019-10768

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

chartkick