CVE-2024-21489

HIGH

NPM Uplot < 1.6.31 - Prototype Pollution

Title source: rule

Description

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

References (3)

[Various Sources] https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224

[Patch] https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0016

EPSS Percentile 36.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

n/a/uplot < 1.6.31

npm/uplot 0 - 1.6.31npm

Published Oct 01, 2024

Tracked Since Feb 18, 2026