CVE-2021-23436

low-risk

Published 2021-09-01

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Do I need to act?

0.10% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.6/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Immer

Affected Vendors

Immer Project

References (6)

Patch https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237

Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266

Exploit https://snyk.io/vuln/SNYK-JS-IMMER-1540542

Patch https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237

Exploit https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266

Exploit https://snyk.io/vuln/SNYK-JS-IMMER-1540542

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal