chartist icon indicating copy to clipboard operation
chartist copied to clipboard

Published 20 hours ago verified publisher icon chartist-js

[Bug]: Prototype Pollution Vulnerability Affecting chartist module, versions >=1.0.0 <=1.3.0

Open tariqhawis opened this issue 1 year ago • 2 comments

Would you like to work on a fix?

  • [ ] Check this if you would like to implement a PR, we are more than happy to help you go through the process.

Current and expected behavior

Overview

A Prototype Pollution vulnerability Affecting chartist , versions >=1.0.0 <=1.3.0, due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using the built-in Object property __proto__ which recursively assigned to all the objects in the program.

Reproduction

sent directly to the maintainer's email

Chartist version

1.3.0

Possible solution

  • Freeze the root prototype using Object.freeze
  • Require schema validation of JSON input.
  • Avoid using unsafe recursive merge functions.
  • Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
  • As a best practice use Map instead of Object

tariqhawis avatar Mar 29 '24 20:03 tariqhawis

Fix:

  • #1433

andersk avatar Oct 02 '24 18:10 andersk

Is there any chance the PR will be accepted soon? And would a new release be forthcoming afterwards?

fmooreNS avatar Oct 15 '24 14:10 fmooreNS

@gionkunz @dangreen could you please help us here

mihaileu avatar Mar 21 '25 14:03 mihaileu