VulnerableCode Package Details - pkg:npm/immer@4.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2xa5-ggz7-uudj Aliases: CVE-2021-3757 GHSA-c36v-fmgq-m8hx	Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	9.0.6 Affected by 0 other vulnerabilities.
VCID-48k4-6btj-9kha Aliases: CVE-2021-23436 GHSA-33f9-j839-rf8h	Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" \|\| p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.	9.0.6 Affected by 0 other vulnerabilities.
VCID-akqv-e39m-hye2 Aliases: CVE-2020-28477 GHSA-9qmh-276g-x5pj	Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.	8.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2xa5-ggz7-uudj
Aliases:
CVE-2021-3757
GHSA-c36v-fmgq-m8hx

Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.0.6
Affected by 0 other vulnerabilities.

VCID-48k4-6btj-9kha
Aliases:
CVE-2021-23436
GHSA-33f9-j839-rf8h

Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" || p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.

9.0.6
Affected by 0 other vulnerabilities.

VCID-akqv-e39m-hye2
Aliases:
CVE-2020-28477
GHSA-9qmh-276g-x5pj

Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.

8.0.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:30:40.768370+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.4.0
2026-04-16T21:30:29.904888+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.4.0
2026-04-16T21:16:02.927534+00:00	GitLab Importer	Affected by	VCID-akqv-e39m-hye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2020-28477.yml	38.4.0
2026-04-11T22:43:48.145760+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.3.0
2026-04-11T22:43:36.716595+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.3.0
2026-04-11T22:28:10.659886+00:00	GitLab Importer	Affected by	VCID-akqv-e39m-hye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2020-28477.yml	38.3.0
2026-04-02T22:53:53.393291+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.1.0
2026-04-02T22:53:43.368777+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.1.0
2026-04-02T22:39:48.561193+00:00	GitLab Importer	Affected by	VCID-akqv-e39m-hye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2020-28477.yml	38.1.0
2026-04-01T17:12:07.727968+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.0.0
2026-04-01T17:11:56.640518+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.0.0
2026-04-01T16:57:14.325020+00:00	GitLab Importer	Affected by	VCID-akqv-e39m-hye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2020-28477.yml	38.0.0