VulnerableCode Package Details - pkg:npm/immer@8.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2xa5-ggz7-uudj Aliases: CVE-2021-3757 GHSA-c36v-fmgq-m8hx	Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	9.0.6 Affected by 0 other vulnerabilities.
VCID-48k4-6btj-9kha Aliases: CVE-2021-23436 GHSA-33f9-j839-rf8h	Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" \|\| p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.	9.0.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2xa5-ggz7-uudj
Aliases:
CVE-2021-3757
GHSA-c36v-fmgq-m8hx

Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.0.6
Affected by 0 other vulnerabilities.

VCID-48k4-6btj-9kha
Aliases:
CVE-2021-23436
GHSA-33f9-j839-rf8h

Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" || p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.

9.0.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-akqv-e39m-hye2	Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.	CVE-2020-28477 GHSA-9qmh-276g-x5pj

Vulnerability

Summary

Aliases

VCID-akqv-e39m-hye2

Prototype Pollution in immer ## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.

CVE-2020-28477
GHSA-9qmh-276g-x5pj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:30:40.943757+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.4.0
2026-04-16T21:30:30.067693+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.4.0
2026-04-11T22:43:48.318709+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.3.0
2026-04-11T22:43:36.912651+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.3.0
2026-04-02T22:53:53.554928+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.1.0
2026-04-02T22:53:43.529759+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.1.0
2026-04-02T16:56:08.492543+00:00	GHSA Importer	Fixing	VCID-akqv-e39m-hye2	https://github.com/advisories/GHSA-9qmh-276g-x5pj	38.1.0
2026-04-02T12:37:52.642348+00:00	GitLab Importer	Fixing	VCID-akqv-e39m-hye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2020-28477.yml	38.0.0
2026-04-01T17:12:07.913660+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.0.0
2026-04-01T17:11:56.831153+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.0.0
2026-04-01T13:01:04.844866+00:00	GithubOSV Importer	Fixing	VCID-akqv-e39m-hye2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-9qmh-276g-x5pj/GHSA-9qmh-276g-x5pj.json	38.0.0