CVE-2024-21489
HIGHuplot < 1.6.31 - Prototype Pollution via uplot.assign Function
Title source: llmDescription
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
References (3)
Core 3
Core References
Various Sources
https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224
Scores
CVSS v3
8.2
EPSS
0.0063
EPSS Percentile
45.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1321
Status
published
Products (2)
n/a/uplot
< 1.6.31
npm/uplot
0 - 1.6.31npm
Published
Oct 01, 2024
Tracked Since
Feb 18, 2026