recharts is vulnerable to Denial of Service (DoS)
25
Low Risk
The Sankey diagram layout in recharts computes each node's depth with a recursive traversal in updateDepthOfTargets that recurses into every target even when the depth does not increase. On dense, heavily branching graphs this re-walks every distinct path through shared nodes, causing worst-case exponential time complexity. An application that renders a Sankey chart from untrusted graph data can be forced to freeze the browser main thread with a modestly sized but heavily branching set of nodes and links. The fix only recurses when a node's computed depth actually grows, so already-settled subtrees are skipped.
You are affected if you are using a version that falls within the vulnerable range and your application renders a Sankey chart from untrusted graph data.
recharts is vulnerable to Denial of Service (DoS) in versions 0.11.0 - 3.9.1.
Upgrade the recharts library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant