Description

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

Remediation

References

https://github.com/ecomfe/zrender/pull/826

https://github.com/ecomfe/zrender/releases/tag/5.2.1

https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf

Related Vulnerabilities

CVE-2023-26477 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-theme-ui

CVE-2021-26707 Vulnerability in npm package merge-deep

CVE-2021-21388 Vulnerability in npm package systeminformation

CVE-2022-35916 Vulnerability in npm package @openzeppelin/contracts

CVE-2022-34115 Vulnerability in maven package io.dataease:dataease-plugin-common

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Release Notes