[Bug]: Prototype Pollution Vulnerability Affecting chartist module, versions >=1.0.0 <=1.3.0

[tariqhawis]

Would you like to work on a fix?

• Check this if you would like to implement a PR, we are more than happy to help you go through the process.

Current and expected behavior

Overview

A Prototype Pollution vulnerability Affecting chartist , versions >=1.0.0 <=1.3.0, due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using the built-in Object property __proto__ which recursively assigned to all the objects in the program.

Reproduction

sent directly to the maintainer's email

Chartist version

1.3.0

Possible solution

• Freeze the root prototype using Object.freeze
• Require schema validation of JSON input.
• Avoid using unsafe recursive merge functions.
• Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
• As a best practice use Map instead of Object

[andersk]

Fix:

• fix: prototype pollution vulnerability in extend (CVE-2024-45435) #1433

[fmooreNS]

Is there any chance the PR will be accepted soon? And would a new release be forthcoming afterwards?

[mihaileu]

@gionkunz @dangreen could you please help us here