CVE-2020-7746

Name of the Vulnerable Software and Affected Versions chart.js versions prior to 2.9.4

Description The issue is related to the options parameter not being properly sanitized when processed. This leads to a prototype pollution when the existing options (or default options) are deeply merged with provided options, as the keys of the object being set are not checked. This could potentially allow a remote attacker to execute arbitrary code.

Recommendations For chart.js versions prior to 2.9.4, update to version 2.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the options parameter until a patch is available.