Platform
nodejs
Component
zrender
Fixed in
5.2.2
5.2.1
CVE-2021-39227 describes a prototype pollution vulnerability discovered in the zrender library, a core component of Apache ECharts. This flaw allows attackers to manipulate object properties by exploiting the merge and clone helper methods within the util.ts module. Affected versions include those prior to 5.2.1; a patch has been released and users are advised to upgrade to mitigate the risk.
Prototype pollution occurs when an attacker can inject properties into the prototype of a JavaScript object, effectively modifying the behavior of all objects inheriting from that prototype. In the context of Apache ECharts, successful exploitation of CVE-2021-39227 could allow an attacker to modify internal data structures, potentially leading to denial-of-service conditions by corrupting application state. While direct code execution is less likely, the ability to manipulate object properties could be leveraged to influence the behavior of ECharts visualizations and potentially impact the underlying application. The impact is amplified in environments where ECharts is used to render sensitive data or interact with user input.
CVE-2021-39227 was publicly disclosed on September 20, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No proof-of-concept exploits have been publicly released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.40% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2021-39227 is to upgrade both zrender and Apache ECharts to version 5.2.1 or later. This version includes a fix that prevents the prototype pollution vulnerability. If immediate upgrading is not feasible, consider implementing input validation and sanitization on any data passed to ECharts to reduce the attack surface. While not a direct fix, this can help prevent malicious data from being used to trigger the vulnerability. There are no specific WAF rules or configuration workarounds available for this vulnerability beyond the recommended upgrade.
Update the ZRender library to version 5.2.1 or higher. If you cannot update immediately, check for `__proto__` in the object keys and omit it before using it as a parameter in the affected methods. If you are using ECharts, apply the fix in `echarts.util.merge` and `setOption`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-39227 is a prototype pollution vulnerability affecting Apache ECharts versions before 5.2.1. It allows attackers to manipulate object properties, potentially leading to denial-of-service.
You are affected if you are using Apache ECharts or zrender versions prior to 5.2.1. Check your dependencies to determine if an upgrade is necessary.
Upgrade both zrender and Apache ECharts to version 5.2.1 or later. This resolves the prototype pollution vulnerability.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-39227.
Refer to the zrender GitHub repository for details: https://github.com/ecomfe/zrender/pull/826
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.