uPlot Prototype Pollution vulnerability

Severity:: High

Description

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Recommendation

Update the uplot package to the latest compatible version. Followings are version details:

Affected version(s): < 1.6.31
Patched version(s): 1.6.31

References

GHSA-34q8-jcq6-mc37
security.snyk.io
CVE-2024-21489
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548
@75lb/deep-merge Prototype Pollution vulnerability - CVE-2024-38986
njwt Prototype Pollution vulnerability - CVE-2024-34273
@intlify/shared Prototype Pollution vulnerability - CVE-2024-52810

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:: npm; uplot

Anything's wrong? Let us know Last updated on October 01, 2024