Critical severityNVD Advisory· Published Jun 4, 2025· Updated Jun 4, 2025
CVE-2025-49223
CVE-2025-49223
Description
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billboard.jsnpm | < 3.15.1 | 3.15.1 |
Affected products
1- Range: 3.15.1
Patches
182ea7ac4f572fix(core): Fix potential security vulnerability
5 files changed · +23 −11
src/Chart/api/export.ts+1 −1 modified@@ -257,7 +257,7 @@ export default { const $$ = this.internal; const {state, $el: {chart, svg}} = $$; const {width, height} = state.current; - const opt = mergeObj({ + const opt = mergeObj(Object.create(null), { width, height, preserveAspectRatio: true,
src/core.ts+2 −2 modified@@ -5,7 +5,7 @@ import Chart from "./Chart/Chart"; import {isObject, mergeObj} from "./module/util"; -let defaults = {}; +let defaults = Object.create(null); /** * @namespace bb @@ -92,7 +92,7 @@ const bb = { * }); */ generate(config) { - const options = mergeObj({}, defaults, config); + const options = mergeObj(Object.create(null), defaults, config); const inst = new Chart(options); inst.internal.charts = this.instance;
src/module/util.ts+9 −7 modified@@ -620,13 +620,15 @@ function mergeObj(target: object, ...objectN): any { if (isObject(target) && isObject(source)) { Object.keys(source).forEach(key => { - const value = source[key]; - - if (isObject(value)) { - !target[key] && (target[key] = {}); - target[key] = mergeObj(target[key], value); - } else { - target[key] = isArray(value) ? value.concat() : value; + if (!/^(__proto__|constructor|prototype)$/i.test(key)) { + const value = source[key]; + + if (isObject(value)) { + !target[key] && (target[key] = {}); + target[key] = mergeObj(target[key], value); + } else { + target[key] = isArray(value) ? value.concat() : value; + } } }); }
test/api/show-spec.ts+1 −1 modified@@ -130,7 +130,7 @@ describe("API show", () => { expect(+internal.$el.svg.selectAll(`.${$LEGEND.legendItemHidden}`).size()).to.be.equal(1); done(1); - }, 300); + }, 400); })); it("Show all data", () => new Promise(done => {
test/internals/core-spec.ts+10 −0 modified@@ -344,4 +344,14 @@ describe("CORE", function() { expect(d3Select(previous).classed($GRID.grid)).to.be.true; }); }); + + describe("security prevention", () => { + it("should not allow pollution of the prototype", () => { + const chart = util.generate(JSON.parse(`{"data":{"columns":[["data1",30,200,100,400,150,250],["data2",130,100,140,200,150,50]],"type":"bar"},"bar":{"width":{"ratio":0.5}},"bindto":"#chart","__proto__":{"pollutedKey":"pollutedValue"}}`)); + + // @ts-ignore + expect(({}.__proto__).pollutedKey).to.be.undefined; + }); + }); + });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- cve.naver.com/detail/cve-2025-49223.htmlghsavendor-advisoryWEB
- github.com/advisories/GHSA-65p9-j6pg-72hjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49223ghsaADVISORY
- github.com/naver/billboard.js/blob/938f263feca453fba5a4dc48d86b32cc5b509443/src/core.tsghsaWEB
- github.com/naver/billboard.js/commit/82ea7ac4f5720d6a7f0c2fa5a5dad51a549667bbghsaWEB
News mentions
0No linked articles in our index yet.