Intel

AIKIDO-2026-172842

recharts is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

25

Low Risk

This Affects:

JSrecharts
0.11.0 - 3.9.1
Fixed in 3.9.2
Are you affected? Scan for Free

TL;DR

The Sankey diagram layout in recharts computes each node's depth with a recursive traversal in updateDepthOfTargets that recurses into every target even when the depth does not increase. On dense, heavily branching graphs this re-walks every distinct path through shared nodes, causing worst-case exponential time complexity. An application that renders a Sankey chart from untrusted graph data can be forced to freeze the browser main thread with a modestly sized but heavily branching set of nodes and links. The fix only recurses when a node's computed depth actually grows, so already-settled subtrees are skipped.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application renders a Sankey chart from untrusted graph data.

Background info

recharts is vulnerable to Denial of Service (DoS) in versions 0.11.0 - 3.9.1.

How to fix this

Upgrade the recharts library to the patch version.