Description
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
References (3)
Core 3
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-IMMER-1540542
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266
Patch, Third Party Advisory x_refsource_misc
https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237
Scores
CVSS v3
5.6
EPSS
0.0031
EPSS Percentile
54.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-843
Status
published
Products (2)
immer_project/immer
< 9.0.6
npm/immer
7.0.0 - 9.0.6npm
Published
Sep 01, 2021
Tracked Since
Feb 18, 2026