CVE-2023-46308 in plotly.jsinfo

Summary

by MITRE • 01/03/2024

In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/27/2025

The vulnerability identified as CVE-2023-46308 affects the plotly.js JavaScript library version 2.25.1 and earlier, representing a critical prototype pollution flaw that can be exploited to manipulate object prototypes within the library's API call handling mechanisms. This issue specifically manifests in the expandObjectPaths and nestedProperty functions where the _proto_ property can be contaminated, allowing attackers to inject malicious code or manipulate the prototype chain of objects. The vulnerability stems from insufficient input validation and sanitization within the library's internal object manipulation functions, creating a pathway for attackers to potentially execute arbitrary code or manipulate application behavior through crafted API calls. The flaw exists because the library fails to properly validate or sanitize property names during object path expansion operations, particularly when handling nested object structures that are common in data visualization applications.

The technical exploitation of this vulnerability occurs when an attacker crafts malicious API parameters that include _proto_ as a property name in object path expansions. When the plotly.js library processes these inputs through the vulnerable expandObjectPaths or nestedProperty functions, the prototype pollution occurs by directly assigning values to the _proto_ property of objects. This allows attackers to modify the prototype of existing objects, potentially enabling them to inject malicious properties or methods into the prototype chain that can be executed during subsequent object operations. The vulnerability is particularly dangerous because it can be triggered through legitimate API calls that users might make when configuring visualizations, making it difficult to detect and prevent through standard input validation measures. According to CWE-471, this represents a weakness where a program modifies a data structure's control data in a way that affects how the data is processed, specifically through prototype pollution attacks that can lead to various security consequences including remote code execution and privilege escalation.

The operational impact of CVE-2023-46308 extends beyond simple data manipulation to potentially enable sophisticated attacks that can compromise entire web applications using plotly.js. When exploited, this vulnerability can allow attackers to inject malicious code that executes in the context of the victim's browser, potentially leading to session hijacking, data theft, or full application compromise. The risk is particularly elevated in web applications that process user-provided data through plotly.js visualizations, as attackers can craft malicious inputs that will be processed by the vulnerable functions during normal application operation. Applications using the affected library versions may be vulnerable to attacks that could be leveraged to perform actions such as reading sensitive data, modifying application behavior, or executing arbitrary JavaScript code within the victim's browser context. This vulnerability aligns with ATT&CK technique T1566.001 for social engineering attacks, as it can be exploited through maliciously crafted API calls that appear legitimate to the application, and T1059.007 for script injection, as it enables execution of arbitrary code through prototype manipulation.

Mitigation strategies for CVE-2023-46308 require immediate action to upgrade to plotly.js version 2.25.2 or later, which includes patches addressing the prototype pollution vulnerability in expandObjectPaths and nestedProperty functions. Organizations should implement comprehensive input validation and sanitization measures for all API parameters that might be processed by the library, particularly those involving nested object structures. Additional protective measures include implementing Content Security Policy (CSP) headers to limit script execution capabilities, using secure coding practices that prevent direct assignment to _proto_ properties, and conducting thorough security testing of all data visualization components that utilize plotly.js. The fix implemented in version 2.25.2 involves proper validation of property names and sanitization of object paths to prevent prototype pollution attacks, ensuring that malicious _proto_ values cannot be used to manipulate object prototypes during API call processing. Security teams should also monitor their applications for any unauthorized modifications or unusual API call patterns that might indicate exploitation attempts, and maintain updated threat intelligence feeds to track related vulnerabilities in similar libraries that might be vulnerable to similar prototype pollution attacks.

Reservation

10/22/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00936

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!