CVE-2024-21489
uPlot Prototype Pollution vulnerability
8.2
HIGH
CVSS 3.1
EPSS 0.16%
Description
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
How to fix CVE-2024-21489
To remediate CVE-2024-21489, upgrade the affected package to a fixed version below.
- npm/uplot—upgrade to 1.6.31 or later
Is CVE-2024-21489 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.6.31
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L |