CVE-2021-39227 — Prototype Pollution in the merge and clone helper methods

Description

### Impact Using `merge` and `clone` helper methods in the `src/core/util.ts` module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly. ### Patches It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to `5.2.1`. and update echarts to `5.2.1` if project is using echarts. ### References NA ### For more information NA

How to fix CVE-2021-39227

To remediate CVE-2021-39227, upgrade the affected package to a fixed version below.

—upgrade to 5.2.1 or later

Is CVE-2021-39227 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.0.0, < 5.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.2	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39227
PATCHgithub.com/ecomfe/zrender
WEBgithub.com/ecomfe/zrender/pull/826
WEBgithub.com/ecomfe/zrender/releases/tag/5.2.1
WEB