Prototype Pollution
Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chart.js before 2.9.4 is vulnerable to prototype pollution via unsanitized deep merge of the options parameter, allowing attackers to pollute Object.prototype.
Vulnerability
Overview
CVE-2020-7746 is a prototype pollution vulnerability in the Chart.js library, affecting versions before 2.9.4. The root cause lies in the options parameter processing: when user-supplied options are deeply merged with existing or default options, the merge function does not validate object keys. This allows an attacker to inject properties like __proto__ or constructor.prototype into the merge target, leading to pollution of the global Object.prototype [1][2].
Exploitation
Exploitation requires the attacker to control the options object passed to a Chart.js chart instance. No authentication is needed if the application accepts user input for chart configuration (e.g., via a web form or API). The merge operation recursively copies properties without checking for special keys, so a crafted payload containing "__proto__": {"polluted": true} can set arbitrary properties on all JavaScript objects in the runtime [4].
Impact
Successful prototype pollution can lead to denial of service (e.g., by causing exceptions) or, in more severe cases, remote code execution if the polluted property influences application logic. For example, an attacker could override default settings or inject malicious code paths that are later executed [4].
Mitigation
The vulnerability was fixed in Chart.js version 2.9.4 by using Object.create(null) as the merge target, which prevents prototype pollution by ensuring the target object has no prototype chain [2]. Users should upgrade to 2.9.4 or later. No workarounds are documented; patching is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chart.jsnpm | < 2.9.4 | 2.9.4 |
Affected products
3- Chart.js/chart.jsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-h68q-55jf-x68wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7746ghsaADVISORY
- github.com/chartjs/Chart.js/pull/7920ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CHARTJS-1018716ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.