CVE-2021-39227
- Source
- https://cve.org/CVERecord?id=CVE-2021-39227
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39227.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-39227
- Aliases
- Related
- Published
- 2021-09-17T14:15:08.353Z
- Modified
- 2026-04-10T04:38:22.566970Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using
mergeandclonehelper methods in thesrc/core/util.tsmodule results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is__proto__in the object keys. Omit it before using it as an parameter in these affected methods. Or inecharts.util.mergeandsetOptionif project is using ECharts. - References
Affected packages
Git / github.com/ecomfe/zrender
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.2
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.7.0
3.7.2
3.7.3
3.7.4
4.*
4.0.0
4.0.1
4.0.3
4.0.5
4.0.6
4.0.7
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.3.1
4.3.2
5.*
5.0.0
5.0.1
5.0.3
5.0.4
5.1.0
5.1.1
5.2.0
v4.*
v4.0.6