Prototype Pollution in immer
Critical severity
GitHub Reviewed
Published
Sep 2, 2021
to the GitHub Advisory Database
•
Updated Apr 30, 2024
Description
Published by the National Vulnerability Database
Sep 1, 2021
Reviewed
Sep 2, 2021
Published to the GitHub Advisory Database
Sep 2, 2021
Last updated
Apr 30, 2024
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition
(p === "__proto__" || p === "constructor")
inapplyPatches_
returns false ifp
is['__proto__']
(or['constructor']
). The===
operator (strict equality operator) returns false if the operands have different type.References