CVE-2024-21489 Information

Description

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Reference

https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224 https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452 https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983