{"id":"RSEC-2025-1","summary":"Risk of __proto__ pollution Vulnerability","details":"The plotly R package up through the latest 4.11.0 includes plotly.js library 2.11.1. \nPlotly.js releases prior to version 2.25.2 have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.\n","modified":"2025-12-26T20:44:53.041765Z","published":"2025-12-23T15:00:00Z","upstream":["CVE-2023-46308"],"references":[{"type":"WEB","url":"https://github.com/plotly/plotly.R/issues/2463"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46308"},{"type":"WEB","url":"https://github.com/plotly/plotly.R/pull/2471"}],"affected":[{"package":{"name":"plotly","ecosystem":"CRAN","purl":"pkg:cran/plotly"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.2"},{"fixed":"4.12.0"}]}],"versions":["2.0.2","2.0.3","2.0.16","3.4.1","3.4.13","3.6.0","4.5.2","4.5.6","4.6.0","4.7.0","4.7.1","4.8.0","4.9.0","4.9.1","4.9.2","4.9.2.1","4.9.2.2","4.9.3","4.9.4","4.9.4.1","4.10.0","4.10.1","4.10.2","4.10.3","4.10.4","4.11.0"],"database_specific":{"source":"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/plotly/RSEC-2025-1.yaml"}}],"schema_version":"1.7.3"}