add plotly vulnerability inherited from plotly.js (#19)

bhogan-mitre · web-flow · commit 0c58fb675f03 · 2025-12-26T14:16:48.000-06:00
* add plotly vulnerability inherited from plotly.js

* add modified field
diff --git a/latest-id.txt b/latest-id.txt
@@ -1 +1 @@
-2023-9
+2025-1
diff --git a/vulns/plotly/RSEC-2025-1.yaml b/vulns/plotly/RSEC-2025-1.yaml
@@ -0,0 +1,49 @@
+id: RSEC-2025-1
+details: |
+ The plotly R package up through the latest 4.11.0 includes plotly.js library 2.11.1. 
+ Plotly.js releases prior to version 2.5.2 have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
+summary: Risk of __proto__ pollution Vulnerability
+affected:
+- package:
+    name: plotly
+    ecosystem: CRAN
+  ranges:
+  - type: ECOSYSTEM
+    events:
+    - introduced: "2.0.2"
+  versions:
+  - "2.0.2"
+  - "2.0.3"
+  - "2.0.16"
+  - "3.4.1"
+  - "3.4.13"
+  - "3.6.0"
+  - "4.5.2"
+  - "4.5.6"
+  - "4.6.0"
+  - "4.7.0"
+  - "4.7.1"
+  - "4.8.0"
+  - "4.9.0"
+  - "4.9.1"
+  - "4.9.2"
+  - "4.9.2.1"
+  - "4.9.2.2"
+  - "4.9.3"
+  - "4.9.4"
+  - "4.9.4.1"
+  - "4.10.0"
+  - "4.10.1"
+  - "4.10.2"
+  - "4.10.3"
+  - "4.10.4"
+  - "4.11.0"
+references:
+- type: WEB
+  url: https://github.com/plotly/plotly.R/issues/2463
+- type: WEB
+  url: https://nvd.nist.gov/vuln/detail/CVE-2023-46308
+upstream:
+- CVE-2023-46308
+published: "2025-12-23T15:00:00Z"
+modified: "2025-12-23T15:00:00Z"
