chartist fix: prototype pollution vulnerability in extend (CVE-2024-45435)

fix: prototype pollution vulnerability in extend (CVE-2024-45435)

Open andersk opened this issue 1 year ago • 2 comments

Fixes #1427.

https://nvd.nist.gov/vuln/detail/CVE-2024-45435 https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62

Oct 02 '24 18:10 andersk

Hi @andersk ,

Thank you for your feedback regarding the report. I would like to highlight an additional prototype accessor: constructor.prototype. A potential injection could look like this:

extend ({}, JSON.parse('{"constructor":{"prototype":{"polluted":yes}}}'))"

Checking for the presence of constructor in the input should be sufficient.

Best, Tariq

Oct 02 '24 19:10 tariqhawis

Checking for the presence of constructor in the input should be sufficient.

Nope, it’s not.

extend({}, {"hasOwnProperty": {"polluted": "yes"}});
console.log(Object.prototype.hasOwnProperty.polluted); // → yes

I’ve pushed a more complete fix.

Oct 02 '24 20:10 andersk

Please merge this fix as it's a severity score is high.

Jan 20 '25 05:01 praveen-zensar

@andersk You should run "update storyshots" action manually in your fork. Then download artifacts and update screenshots in your branch.

Apr 07 '25 18:04 dangreen

@dangreen I did that and it resulted in no changes.

https://github.com/andersk/chartist/actions/runs/14316237387/job/40122907313 https://github.com/andersk/chartist/actions/runs/14316237387/artifacts/2897050220

Apr 07 '25 18:04 andersk

@andersk put all images from https://github.com/andersk/chartist/actions/runs/14316237387/artifacts/2897050220 to https://github.com/andersk/chartist/tree/main/test/image_snapshots

Apr 07 '25 18:04 dangreen

Never mind, figured it out, fixed.

Apr 07 '25 18:04 andersk

https://github.com/chartist-js/chartist/releases/tag/v1.3.1

Apr 07 '25 19:04 dangreen

chartist chartist copied to clipboard

fix: prototype pollution vulnerability in extend (CVE-2024-45435)

chartist
chartist copied to clipboard