VulnerableCode Package Details - pkg:npm/immer@9.0.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-2xa5-ggz7-uudj Aliases: CVE-2021-3757 GHSA-c36v-fmgq-m8hx	Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	9.0.6 Affected by 0 other vulnerabilities.
VCID-48k4-6btj-9kha Aliases: CVE-2021-23436 GHSA-33f9-j839-rf8h	Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" \|\| p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.	9.0.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2xa5-ggz7-uudj
Aliases:
CVE-2021-3757
GHSA-c36v-fmgq-m8hx

Improperly Controlled Modification of Dynamically-Determined Object Attributes immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

9.0.6
Affected by 0 other vulnerabilities.

VCID-48k4-6btj-9kha
Aliases:
CVE-2021-23436
GHSA-33f9-j839-rf8h

Access of Resource Using Incompatible Type (Type Confusion) A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === "__proto__" || p === "constructor")` in `applyPatches_` returns false if `p` is `['__proto__']` (or `['constructor']`). The `===` operator (strict equality operator) returns false if the operands have different type.

9.0.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:30:40.972800+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.4.0
2026-04-16T21:30:30.093513+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.4.0
2026-04-11T22:43:48.344816+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.3.0
2026-04-11T22:43:36.944291+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.3.0
2026-04-02T22:53:53.581052+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.1.0
2026-04-02T22:53:43.556383+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.1.0
2026-04-01T17:12:07.942732+00:00	GitLab Importer	Affected by	VCID-2xa5-ggz7-uudj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-3757.yml	38.0.0
2026-04-01T17:11:56.867637+00:00	GitLab Importer	Affected by	VCID-48k4-6btj-9kha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/immer/CVE-2021-23436.yml	38.0.0