chartkick is vulnerable to prototype pollution. Attackers can manipulate attributes to overwrite, or pollute existing properties relating to an Object by injecting malicious values through the _proto_
attribute. Using this flaw the attackers can cause a denial of service (DoS) condition and in some situations remote code executions.
chartkick.com
github.com/ankane/chartkick.js/commit/3f833c2b229db140295b44074fef56428e0a8b91
github.com/ankane/chartkick.js/issues/117
github.com/ankane/chartkick/blob/master/CHANGELOG.md
github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa
github.com/ankane/chartkick/commits/master
rubygems.org/gems/chartkick/
www.npmjs.com/advisories/1312