Remote Prototype Pollution Vulnerability - 2.25.2

zedic0501 · January 24, 2024, 3:08pm

Dear Community,

In our prev release we were using react-plotly.js lib for our charts in it, which references to a plotly.js bundle which version is < 2.25.0 and we are wondering, are we affected by this Vulnerability is we are not using the Plot API?

Thanks for your reply
BR

adamschroeder · January 24, 2024, 8:29pm

hi @zedic0501
Welcome to the community.

If you use the main plotly.js source file, you should be ok. There might have been a couple of vulnerabilities in the dev-dependencies, but these are not the dependencies used in the bundle itself.

That said, if possible, we recommend you upgrade to the latest versions.

zedic0501 · January 25, 2024, 10:22am

Thank you for your reply.

We are afraid of this spicific vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2023-46308#range-10207335

From administrative point it would not be the easiest to apply a patch for our all supported versions, so thats why I wanted to double check this issue.

I found these two merge requests, related to this issue as a fix:

and in the bundle which is used by our react-plotly.js, these changes are not in yet, but we are not sure in it, that the attacker could do anything harmful e.g. from console, because we talking about JS.

archmoj · January 25, 2024, 3:36pm

You need to upgrade plotly.js to v2.25.2 or higher versions: Releases · plotly/plotly.js · GitHub

alexcjohnson · January 25, 2024, 4:03pm

@zedic0501 when you say react-plotly.js references plotly.js with version <2.25.0, I see that the package.json there allows lower versions, but doesn’t require a lower version. The relevant entries are:

"devDependencies": {
  "plotly.js": "^2.14.0"
},
"peerDependencies": {
    "plotly.js": ">1.34.0"
}

And then because plotly.js doesn’t show up in dependencies, your project must have its own reference to plotly.js, which you can then set to a version that avoids this CVE. What I’m curious about is whether that’s enough for your vulnerability scanner, or if it’s going to keep complaining until react-plotly.js won’t even allow a lower version? We could consider raising one or both of those numbers to 2.25.2 - devDependencies for sure we could bump, but peerDependencies I worry it would be too restrictive, for example if someone prefers to stay on v1.x.

Topic		Replies	Views
Is plotly shifting toward a subscription model? plotly.js	0	264	July 19, 2023
PlotyJS Newest version not available in Julia Plotly Julia	1	485	October 3, 2021
:tada: Announcing Plotly.js 2.0! plotly.js announcements	6	15554	June 21, 2021
Release candidate for version 3.1.1 is available 📊 Plotly Python	0	473	August 8, 2018
Version 3.1.1 Released 📊 Plotly Python	0	535	August 10, 2018

Remote Prototype Pollution Vulnerability - 2.25.2

Related Topics