CVE-2024-21489 – uplot

Package

Manager: npm
Name: uplot
Vulnerable Version: >=0 <1.6.31

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00535 pctl0.66471

Details

uPlot Prototype Pollution vulnerability Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Metadata

Created: 2024-10-01T06:30:47Z
Modified: 2024-10-01T18:10:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-34q8-jcq6-mc37/GHSA-34q8-jcq6-mc37.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-34q8-jcq6-mc37
Finding: F390
Auto approve: 1