High-severity vulnerability in dependent package

[meatflavourdev]

GitHub Advisory Database / CVE-2020-28477

Prototype Pollution in immer

⛔ high severity

Package	Affected versions	Patched versions
immer (npm)	< 8.0.1	8.0.1

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-28477
• Prototype Pollution vulnerability  immerjs/immer#738
• immerjs/immer@da2bd4f
• https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986
• https://snyk.io/vuln/SNYK-JS-IMMER-1019369
• https://www.npmjs.com/package/immer

[meatflavourdev]

Updating the Immer package past 8.0.1 is advised for security -- it looks like this can be accomplished by updating the easy-peasy dependency.

[moklick]

Hey! Since v9 we no longer use easy-peasy (and immer) anymore.

[meatflavourdev]

Riiiight i just saw that-- tis me who needs to update!