From 5c9efa769e74b45d535dd457c0a3e97871bb2dc0 Mon Sep 17 00:00:00 2001
From: RUDRAKSHA KUSHWAHA <kushwaharudraksha@gmail.com>
Date: Fri, 26 Jun 2026 23:29:02 +0530
Subject: [PATCH] fix: prevent prototype pollution in Chart.defaults path APIs

- Add isValidScopePath() to validate path segments
- Reject '__proto__', 'prototype', and 'constructor' in scope paths
- Fixes #12265 - prototype pollution gadget vulnerability

This prevents prototype pollution via Chart.defaults.set(), get(),
describe(), override(), and route() methods by validating path
segments before walking them.
---
 src/core/core.defaults.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/core/core.defaults.js b/src/core/core.defaults.js
index 67a1c8e5b84..e2501340dc8 100644
--- a/src/core/core.defaults.js
+++ b/src/core/core.defaults.js
@@ -7,6 +7,12 @@ import {applyScaleDefaults} from './core.scale.defaults.js';
 export const overrides = Object.create(null);
 export const descriptors = Object.create(null);
 
+
+function isValidScopePath(key) {
+  return !key.split('.').some((part) => (
+    part === '__proto__' || part === 'prototype' || part === 'constructor'
+  ));
+}
 /**
  * @param {object} node
  * @param {string} key
@@ -16,6 +22,9 @@ function getScope(node, key) {
   if (!key) {
     return node;
   }
+  if (!isValidScopePath(key)) {
+    throw new Error(`Invalid defaults scope: ${key}`);
+  }
   const keys = key.split('.');
   for (let i = 0, n = keys.length; i < n; ++i) {
     const k = keys[i];