Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Affected Packages

npm uplot

Affected versions: 0 (fixed in 1.6.31)

Related CVEs

CVE-2024-21489

Key Information

GHSA ID

GHSA-34q8-jcq6-mc37

Published

October 1, 2024 6:30 AM

Last Modified

October 1, 2024 6:10 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

uplot

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.