CVE-2021-39227

Name of the Vulnerable Software and Affected Versions ZRender versions prior to 5.2.1 Apache ECharts versions prior to 5.2.1

Description The issue results in prototype pollution when using merge and clone helper methods in the src/core/util.ts module. It affects Apache ECharts, which uses and exports these methods directly. A proof of concept is available on the GitHub Security Advisory page.

Recommendations For ZRender versions prior to 5.2.1, update to version 5.2.1. For Apache ECharts versions prior to 5.2.1, update to version 5.2.1. As a temporary workaround, check if there is proto in the object keys and omit it before using it as a parameter in the affected methods, such as echarts.util.merge and setOption.