CVE-2020-7746
HIGHchart.js < 2.9.4 - Prototype Pollution via Options Parameter
Title source: llmDescription
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376
Patch, Third Party Advisory x_refsource_misc
https://github.com/chartjs/Chart.js/pull/7920
Scores
CVSS v3
7.5
EPSS
0.0468
EPSS Percentile
90.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-1321
Status
published
Products (2)
chartjs/chart.js
< 2.9.4
npm/chart.js
0 - 2.9.4npm
Published
Oct 29, 2020
Tracked Since
Feb 18, 2026