Plattform
nodejs
Komponente
zrender
Behoben in
5.2.2
5.2.1
CVE-2021-39227 describes a prototype pollution vulnerability discovered in the zrender library, a core component of Apache ECharts. This flaw allows attackers to manipulate object properties by exploiting the merge and clone helper methods within the util.ts module. Affected versions include those prior to 5.2.1; a patch has been released and users are advised to upgrade to mitigate the risk.
Prototype pollution occurs when an attacker can inject properties into the prototype of a JavaScript object, effectively modifying the behavior of all objects inheriting from that prototype. In the context of Apache ECharts, successful exploitation of CVE-2021-39227 could allow an attacker to modify internal data structures, potentially leading to denial-of-service conditions by corrupting application state. While direct code execution is less likely, the ability to manipulate object properties could be leveraged to influence the behavior of ECharts visualizations and potentially impact the underlying application. The impact is amplified in environments where ECharts is used to render sensitive data or interact with user input.
CVE-2021-39227 was publicly disclosed on September 20, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No proof-of-concept exploits have been publicly released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and developers using Apache ECharts in their web applications, particularly those relying on user-supplied data for visualizations, are at risk. Environments using older versions of zrender or ECharts, or those lacking robust input validation mechanisms, are especially vulnerable.
• nodejs:
npm list zrender
# Check for versions < 5.2.1• nodejs:
npm audit zrender
# Check for reported vulnerabilities• generic web: Inspect ECharts configuration objects for unexpected or malicious properties that could indicate exploitation.
disclosure
Exploit-Status
EPSS
0.40% (60% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-39227 is to upgrade both zrender and Apache ECharts to version 5.2.1 or later. This version includes a fix that prevents the prototype pollution vulnerability. If immediate upgrading is not feasible, consider implementing input validation and sanitization on any data passed to ECharts to reduce the attack surface. While not a direct fix, this can help prevent malicious data from being used to trigger the vulnerability. There are no specific WAF rules or configuration workarounds available for this vulnerability beyond the recommended upgrade.
Actualice la biblioteca ZRender a la versión 5.2.1 o superior. Si no puede actualizar inmediatamente, revise si hay `__proto__` en las claves del objeto y omítalo antes de usarlo como parámetro en los métodos afectados. Si está utilizando ECharts, aplique la revisión en `echarts.util.merge` y `setOption`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-39227 is a prototype pollution vulnerability affecting Apache ECharts versions before 5.2.1. It allows attackers to manipulate object properties, potentially leading to denial-of-service.
You are affected if you are using Apache ECharts or zrender versions prior to 5.2.1. Check your dependencies to determine if an upgrade is necessary.
Upgrade both zrender and Apache ECharts to version 5.2.1 or later. This resolves the prototype pollution vulnerability.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-39227.
Refer to the zrender GitHub repository for details: https://github.com/ecomfe/zrender/pull/826
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.