CVE-2024-21489 – uplot: Prototype Pollution in uplot

https://notcve.org/view.php?id=CVE-2024-21489

01 Oct 2024 — Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype. A flaw was found in uPlot. This vulnerability allows prototype pollution via the uplot.assign function due to missing checks for attributes that resolve to the object prototype. • https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •