cvedb.io
CVE-2021-39227
MEDIUM · CVSS 6.2
EPSS exploitation probability: 0%
Published 2021-09-17T14:15:08.353 · Last modified 2026-06-17T04:03:21.320

Summary

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

Affected products

baidu — zrender

Does this affect you?

Add your gear to cvedb and we'll alert you only when baidu ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.