Remote Prototype Pollution Vulnerability - 2.25.2

Dear Community,

In our prev release we were using react-plotly.js lib for our charts in it, which references to a plotly.js bundle which version is < 2.25.0 and we are wondering, are we affected by this Vulnerability is we are not using the Plot API?

Thanks for your reply

hi @zedic0501
:wave: Welcome to the community.

If you use the main plotly.js source file, you should be ok. There might have been a couple of vulnerabilities in the dev-dependencies, but these are not the dependencies used in the bundle itself.

That said, if possible, we recommend you upgrade to the latest versions.

Thank you for your reply.

We are afraid of this spicific vulnerability:

From administrative point it would not be the easiest to apply a patch for our all supported versions, so thats why I wanted to double check this issue.

I found these two merge requests, related to this issue as a fix:

and in the bundle which is used by our react-plotly.js, these changes are not in yet, but we are not sure in it, that the attacker could do anything harmful e.g. from console, because we talking about JS.

You need to upgrade plotly.js to v2.25.2 or higher versions: Releases · plotly/plotly.js · GitHub

1 Like

@zedic0501 when you say react-plotly.js references plotly.js with version <2.25.0, I see that the package.json there allows lower versions, but doesn’t require a lower version. The relevant entries are:

"devDependencies": {
  "plotly.js": "^2.14.0"
"peerDependencies": {
    "plotly.js": ">1.34.0"

And then because plotly.js doesn’t show up in dependencies, your project must have its own reference to plotly.js, which you can then set to a version that avoids this CVE. What I’m curious about is whether that’s enough for your vulnerability scanner, or if it’s going to keep complaining until react-plotly.js won’t even allow a lower version? We could consider raising one or both of those numbers to 2.25.2 - devDependencies for sure we could bump, but peerDependencies I worry it would be too restrictive, for example if someone prefers to stay on v1.x.

1 Like