Advisories for Npm/Highcharts package

2021

Cross-site Scripting

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

2020
2019

Incorrect Regular Expression

In js/parts/SvgRenderer.js in Highcharts, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.