CVE-2021-39227

Fix prototype pollution in the zrender merge and clone helper methods

Description

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

References

Link	Tags
https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf	third party advisory
https://github.com/ecomfe/zrender/pull/826	third party advisory patch
https://github.com/ecomfe/zrender/releases/tag/5.2.1	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2021-39227?: CVE-2021-39227 has been scored as a medium severity vulnerability.
How to fix CVE-2021-39227?: To fix CVE-2021-39227, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-39227 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-39227 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-39227?: CVE-2021-39227 affects ecomfe zrender.

Description

Category

CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References

Frequently Asked Questions