CVE-2020-7746: Prototype Pollution vulnerability in chart.js (npm)

What is CVE-2020-7746 About?

This vulnerability in chart.js before 2.9.4 allows for prototype pollution due to improper sanitization of the 'options' parameter. When options are merged, keys are not checked, allowing attackers to inject or modify properties on the Object.prototype. This can lead to various impacts including arbitrary code execution, denial of service, or data manipulation, depending on the application's context.

Affected Software

chart.js <2.9.4

Technical Details

The vulnerability in chart.js, affecting versions prior to 2.9.4, is a prototype pollution issue. It stems from the improper sanitization and processing of the 'options' parameter during a deep merge operation. When new options are provided to chart.js, they are merged with existing or default options. The merging mechanism, however, does not adequately validate or restrict the keys of the object being set. This oversight allows an attacker to inject special keys, such as 'proto' or 'constructor.prototype', into the 'options' parameter. By supplying a crafted object through this parameter, the attacker can then add or modify properties on the global 'Object.prototype'. Once 'Object.prototype' is polluted, these injected properties become available to all objects in the JavaScript application, potentially leading to unintended behavior, denial of service, or even remote code execution if sensitive methods are overwritten.

What is the Impact of CVE-2020-7746?

Successful exploitation may allow attackers to inject or modify properties on the Object.prototype, which can lead to arbitrary code execution, denial of service, data manipulation, or other unexpected application behavior.

What is the Exploitability of CVE-2020-7746?

Exploitation generally involves supplying specially crafted input to a web application that uses the vulnerable chart.js library. This is typically a client-side vulnerability, but if the 'options' parameter is supplied from a server-side component or used in a server-side JavaScript environment, it could extend to server-side impacts. No authentication is typically required, as it exploits how the library processes user-supplied data, making it a remote attack. The complexity can vary based on finding a suitable injection point for the 'options' parameter. Special conditions might involve interacting with an application feature that allows custom chart configurations. The risk factor is increased if the application extensively uses chart.js with user-controlled configuration options.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2020-7746?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

The patch mitigates prototype pollution by ensuring that merges and initial configurations use objects created with Object.create(null), which have no prototype and thus cannot be polluted via proto or constructor.prototype properties. This directly addresses CVE-2020-7746, since the vulnerability allowed attackers to inject properties into Object.prototype through crafted input, potentially compromising all objects in the application; the fix guarantees newly merged/configured objects are immune to this attack vector.

Available Upgrade Options

chart.js
- <2.9.4 → Upgrade to 2.9.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-7746?

Similar Vulnerabilities: CVE-2021-23396 , CVE-2020-28283 , CVE-2020-28188 , CVE-2019-11358 , CVE-2018-3721

CVE-2020-7746 Prototype Pollution vulnerability in chart.js (npm)