CVE-2024-45435 – CVE-2024-45435 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2024-45435?

CVE-2024-45435 has a CVSS score of 9.8 (CRITICAL). CVE-2024-45435 is a prototype pollution vulnerability in Chartist.js that allows attackers to modify object prototypes, potentially leading to remote code execution or denial of service. This affects any web application using vulnerable Chartist versions for data visualization. Attackers can exploit this by injecting malicious payloads into chart data.

📋 TL;DR

CVE-2024-45435 is a prototype pollution vulnerability in Chartist.js that allows attackers to modify object prototypes, potentially leading to remote code execution or denial of service. This affects any web application using vulnerable Chartist versions for data visualization. Attackers can exploit this by injecting malicious payloads into chart data.

💻 Affected Systems

Products:

Chartist.js

Versions: 1.0.0 through 1.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any web application using Chartist for chart rendering is vulnerable by default

📦 What is this software?

Chartist by Chartist

View all CVEs affecting Chartist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service, data manipulation, or client-side attacks affecting user sessions

🟢

If Mitigated

Limited impact with proper input validation and sandboxing

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist, exploitation requires user interaction with malicious chart data

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://github.com/chartist-js/chartist/issues/1427

Restart Required: No

Instructions:

1. Update Chartist dependency to version 1.4.0 or later. 2. Run npm update chartist or yarn upgrade chartist. 3. Rebuild and redeploy application.

🔧 Temporary Workarounds

Input sanitization

all

Implement strict input validation for all chart data inputs

Object.freeze workaround

all

Freeze Object.prototype to prevent pollution

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Implement Content Security Policy to restrict script execution
Isolate Chartist in sandboxed iframe with restricted permissions

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for Chartist version 1.0.0-1.3.0

Check Version:

npm list chartist or grep chartist package.json

Verify Fix Applied:

Verify Chartist version is 1.4.0 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

Unusual chart data patterns
JavaScript errors related to prototype modification

Network Indicators:

Suspicious chart data payloads in POST requests

SIEM Query:

source=web_logs AND (chart_data CONTAINS "__proto__" OR chart_data CONTAINS "constructor")

📊 Metadata

CVE ID: CVE-2024-45435

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: August 29, 2024

Last Updated: September 3, 2024

🔗 References

https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62 Exploit
https://github.com/chartist-js/chartist/issues/1427 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45435, you might also want to check these: