Fix prototype pollution in the zrender merge and clone helper methods
Description
ZRender prior to 5.2.1 allows prototype pollution via merge and clone utility methods, affecting Apache ECharts users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ZRender prior to 5.2.1 allows prototype pollution via `merge` and `clone` utility methods, affecting Apache ECharts users.
Vulnerability
ZRender, a lightweight 2D graphics library used by Apache ECharts, contains a prototype pollution vulnerability in the merge and clone helper methods defined in src/core/util.ts [1]. Versions prior to 5.2.1 (and prior to 4.3.3 on the 4.x branch) are affected [4]. The vulnerability is reachable when user-controllable objects with a __proto__ key are passed to these functions [1].
Exploitation
The attacker needs to supply a crafted object that includes a __proto__ property. When a victim application calls either merge or clone on that object, the nested __proto__ key is not sanitized, allowing the attacker to inject properties into the global Object.prototype [1][4]. No special network position, authentication, or user interaction beyond passing the malicious object is required, making this straightforward to exploit if the application merges or clones attacker-controlled data.
Impact
Successful prototype pollution can alter the behavior of all objects in the JavaScript runtime, potentially leading to property injection, denial of service, or arbitrary code execution depending on how downstream code uses the polluted properties [1][4]. Since ECharts exports echarts.util.merge and setOption uses these methods, any ECharts application that processes untrusted input risks compromise of the rendering environment and the wider web application [1].
Mitigation
ZRender version 5.2.1 (and 4.3.3 for the 4.x line) fix the issue by sanitizing __proto__ keys in the vulnerable methods [4]. Users should update ZRender to 5.2.1 or later, and if using Apache ECharts, update ECharts to 5.2.1 as well [1]. As a workaround, applications can manually inspect and omit any __proto__ key from objects before passing them to merge, clone, echarts.util.merge, or setOption [1]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zrendernpm | >= 5.0.0, < 5.2.1 | 5.2.1 |
zrendernpm | < 4.3.3 | 4.3.3 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in `merge` and `clone` helpers allows `__proto__` keys to modify `Object.prototype`."
Attack vector
An attacker supplies a crafted object containing a `__proto__` key as input to the `merge` or `clone` helper methods [ref_id=1]. Because the methods do not filter or block `__proto__` properties, the attacker can pollute the prototype of all objects, leading to unexpected behavior or property injection across the application [CWE-1321]. The attack requires no special privileges beyond the ability to pass attacker-controlled data to these methods (e.g., via ECharts `setOption`).
Affected code
The `merge` and `clone` helper methods in the `src/core/util.ts` module are at fault [ref_id=1][ref_id=2]. These methods are exported and used by Apache ECharts via `echarts.util.merge` and `setOption` [ref_id=1].
What the fix does
The patch (pull request #826) modifies the `merge` and `clone` helpers in `src/core/util.ts` to check for and omit `__proto__` keys from object input [ref_id=1][ref_id=2]. This closes the prototype pollution vector by preventing attackers from modifying `Object.prototype`. Users should update ZRender to version 5.2.1 (or 4.3.3 for the 4.x branch) and ECharts to 5.2.1 if applicable [ref_id=2].
Preconditions
- inputAttacker must be able to supply a crafted object (containing __proto__) to the merge or clone helper methods, or to ECharts setOption.
- authNo authentication or special privileges required; the attack surface is any input path that reaches these methods.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fhv8-fx5f-7fxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39227ghsaADVISORY
- github.com/ecomfe/zrender/pull/826ghsax_refsource_MISCWEB
- github.com/ecomfe/zrender/releases/tag/5.2.1ghsax_refsource_MISCWEB
- github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.