Prototype Pollution in Chartkick.js 3.1.x

Question

Prototype Pollution in Chartkick.js 3.1.x

Closed this issue 5 years ago · 2 comments

Under certain conditions, the 3.1.x series of Chartkick.js is vulnerable to prototype pollution. This is same type of issue that was announced for jQuery and other popular libraries earlier this year. jQuery rated this a "minor vulnerability". It's certainly unintended behavior, but since Chartkick.js is a client-side only library, its impact is likely limited. This vulnerability has been assigned the CVE identifier CVE-2019-18841.

Versions Affected: 3.1.0 to 3.1.3
Fixed Versions: 3.2.0
Versions Unaffected: < 3.1.0

Impact

Passing untrusted input to JSON.parse and the result to Chartkick.js can pollute Object.prototype.

var badOptions = JSON.parse('{"__proto__": {"test": true}}')
new Chartkick.LineChart("chart", data, badOptions)
console.log("test" in {})

A specially crafted response in data loaded via URL can cause pollution well.

new Chartkick.LineChart("chart", "https://evil.com/data")

All users running an affected release should upgrade immediately.

Answer 1 · 2019-11-16T12:19:13.000Z

Hi, are you sure this vulnerability does not exists before ? In 2.1.0, I saw some lines that looks like those fixed.

Cheers,

Answer 2 · 2019-11-16T20:22:31.000Z

Hey @guimard, I didn't find any other affected versions in my testing, but please follow up with the email address in my profile if you can demonstrate the issue in other versions, and I'll update the CVE accordingly.