Detections
Analytics

CVE-2024-21489

high

Description

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

References

https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224

https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983

https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452

Details

Source: Mitre, NVD

Published: 2024-10-01

Updated: 2024-10-04

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:P

Severity: High

CVSS v3

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Severity: High

CVSS v4

Base Score: 8.8

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00363