Search for packages
| purl | pkg:npm/immer@6.0.0-alpha.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2xa5-ggz7-uudj
Aliases: CVE-2021-3757 GHSA-c36v-fmgq-m8hx |
Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
Affected by 0 other vulnerabilities. |
|
VCID-48k4-6btj-9kha
Aliases: CVE-2021-23436 GHSA-33f9-j839-rf8h |
Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" || p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type. |
Affected by 0 other vulnerabilities. |
|
VCID-akqv-e39m-hye2
Aliases: CVE-2020-28477 GHSA-9qmh-276g-x5pj |
Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||