CVE-2021-39227: 
JavaScript vulnerability analysis and mitigation

ZRender, a lightweight graphic library providing 2D drawing capabilities for Apache ECharts, was found to contain a prototype pollution vulnerability (CVE-2021-39227) in versions prior to 5.2.1. The vulnerability exists in the merge and clone helper methods within the src/core/util.ts module. This security issue was discovered and disclosed in September 2021, affecting both ZRender directly and the popular data visualization library Apache ECharts which uses and exports these methods (GitHub Advisory).

The vulnerability stems from the implementation of merge and clone helper methods in the src/core/util.ts module, which allows for prototype pollution. The issue received a CVSS classification and was categorized under CWE-1321. A proof of concept demonstrating the vulnerability was provided in the GitHub Security Advisory (GitHub Advisory).

The vulnerability could lead to prototype pollution, potentially affecting applications using either ZRender directly or Apache ECharts, which incorporates and exposes these vulnerable methods. This could result in unexpected behavior or security implications in applications utilizing these libraries (GitHub Advisory).

The vulnerability was patched in ZRender version 5.2.1. Users are advised to update to this version or later. For those using Apache ECharts, updating to version 5.2.1 or later is recommended. As a workaround, users can check for and omit __proto__ in object keys before using them as parameters in the affected methods or in echarts.util.merge and setOption (GitHub Advisory).