Prototype pollution in immer

#VU57216 Prototype pollution in immer

Published: 2021-10-11

Vulnerability identifier: #VU57216

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23436

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
immer
Web applications / JS libraries

Vendor: immer

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request to the application and perform prototype pollution.

Note, the vulnerability exists due to incomplete fix for #VU57215.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

immer: 8.0.1 - 9.0.5

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266
http://snyk.io/vuln/SNYK-JS-IMMER-1540542
http://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Edge Application Manager

Multiple vulnerabilities in IBM Business Automation Manager Open Editions

Multiple vulnerabilities in Red Hat Process Automation Manager

Prototype pollution in immer