CVE-2024-45435 Overview
CVE-2024-45435 is a Prototype Pollution vulnerability affecting Chartist, a popular JavaScript charting library for Node.js. The vulnerability exists in the extend function within Chartist versions 1.x through 1.3.0, allowing attackers to manipulate JavaScript object prototypes through malicious input.
Critical Impact
This Prototype Pollution vulnerability could allow attackers to inject arbitrary properties into JavaScript object prototypes, potentially leading to remote code execution, denial of service, or property injection attacks in applications using the vulnerable Chartist library.
Affected Products
- Chartist versions 1.x through 1.3.0
- Node.js applications using vulnerable Chartist versions
- Web applications with client-side Chartist implementations
Discovery Timeline
- 2024-08-29 - CVE-2024-45435 published to NVD
- 2024-09-03 - Last updated in NVD database
Technical Details for CVE-2024-45435
Vulnerability Analysis
This vulnerability is classified as Prototype Pollution (CWE-1321), a class of vulnerabilities specific to JavaScript that allows attackers to modify the prototype of base objects. In Chartist, the vulnerable extend function fails to properly sanitize object keys when merging configuration objects, enabling attackers to inject properties into Object.prototype through specially crafted input.
When exploited, an attacker can pollute the prototype chain by passing malicious payloads containing __proto__, constructor, or prototype properties. This pollution persists across all objects in the application, potentially affecting authentication mechanisms, access controls, or triggering code execution paths that rely on object property checks.
Root Cause
The root cause lies in the extend function's failure to validate and sanitize incoming object keys before property assignment. The function recursively merges objects without checking for prototype-related properties (__proto__, constructor.prototype), allowing malicious input to traverse up the prototype chain and modify base object properties that are inherited by all JavaScript objects.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker can deliver a malicious payload through any input vector that reaches the Chartist extend function, such as chart configuration options, data objects, or any user-controllable input that gets processed by the vulnerable function.
The attack typically involves sending a JSON payload containing __proto__ as a key with malicious property values. When parsed and processed by the extend function, these properties are copied to Object.prototype, affecting all objects in the application context.
For detailed technical analysis and proof of concept, refer to the GitHub Issue Discussion and the GitHub Gist Code Snippet documenting this vulnerability.
Detection Methods for CVE-2024-45435
Indicators of Compromise
- Unusual JavaScript errors or unexpected object property behavior in application logs
- Detection of __proto__ or constructor strings in HTTP request payloads targeting Chartist endpoints
- Unexpected properties appearing on JavaScript objects across the application
- Application crashes or undefined behavior in object property checks
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block payloads containing __proto__, constructor.prototype, or similar prototype pollution patterns
- Use Software Composition Analysis (SCA) tools to identify vulnerable Chartist versions in your dependency tree
- Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
- Monitor npm audit alerts and security advisories for Chartist package
Monitoring Recommendations
- Enable detailed logging for all chart configuration inputs and data processing functions
- Set up alerts for unusual patterns in JSON payloads targeting chart rendering endpoints
- Monitor application behavior for signs of prototype pollution such as unexpected global property modifications
- Implement Content Security Policy (CSP) headers to limit the impact of potential code execution
How to Mitigate CVE-2024-45435
Immediate Actions Required
- Audit your applications to identify all instances of Chartist versions 1.x through 1.3.0
- Implement input validation to sanitize all user-controllable data before passing to Chartist functions
- Consider using Object.freeze(Object.prototype) as a temporary defensive measure where application compatibility allows
- Evaluate alternative charting libraries if immediate patching is not possible
Patch Information
Review the GitHub Issue Discussion for the latest information on available patches and recommended upgrade paths. Organizations should update to a patched version of Chartist as soon as one becomes available, or implement the workarounds described below.
Workarounds
- Implement a wrapper function that sanitizes input objects by removing __proto__, constructor, and prototype keys before passing them to Chartist
- Use Object.create(null) for configuration objects to create prototype-less objects that cannot be polluted
- Freeze the Object.prototype at application startup using Object.freeze(Object.prototype) (note: may affect application functionality)
- Validate and whitelist only expected properties in chart configuration objects
# Example: Check Chartist version in your project
npm list chartist
# Audit for vulnerabilities in your dependencies
npm audit
# If a patched version is available, update with:
npm update chartist
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
