Skip to content

CVE-2018-20801 (High) detected in highcharts.src-4.0.1.js #3120

New issue
New issue
Open
Task
Open
CVE-2018-20801 (High) detected in highcharts.src-4.0.1.js#3120
Task
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourceupstream
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jul 17, 2025

CVE-2018-20801 - High Severity Vulnerability

Vulnerable Library - highcharts.src-4.0.1.js

Highcharts is a charting library written in pure JavaScript, offering an easy way of adding interactive charts to your web site or web application. Highcharts currently supports line, spline, area, areaspline, column, bar, pie and scatter chart types. Highcharts is NOT free for commercial use. See the license here: http://highcharts.com/license

Library home page: https://cdnjs.cloudflare.com/ajax/libs/highcharts/4.0.1/highcharts.src.js

Path to dependency file: /rubycritic/code_index.html

Path to vulnerable library: /rubycritic/assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/charts/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/seek/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/well-formed/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-eclipse-cheatsheets-to-dita/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/hashcheck/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/built-in-datatypes/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/scrapers/ruby/nokogiri/../../../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-strip/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/drivers/../assets/vendor/javascripts/highcharts.src-4.0.1.js

Dependency Hierarchy:

  • highcharts.src-4.0.1.js (Vulnerable Library)

Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e

Found in base branch: main

Vulnerability Details

In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.

Publish Date: 2019-03-14

URL: CVE-2018-20801

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20801

Release Date: 2019-03-14

Fix Resolution: 6.1.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourceupstream

    Type

    Task

    Projects

    slurp

    Status

    To do

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions