immerjs/immer

immerjs/immer

immerjs.github.io

Releases157

Frequency2 weeks 5 days

Last Release about 2 months ago

Stars28.9K

Create the next immutable state by mutating the current one

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-3757 ↗	Sep 2, 2021Thursday, 2 September 2021, 12:15	9.8 CRITICAL	7.5 HIGH
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23436 ↗	Sep 1, 2021Wednesday, 1 September 2021, 18:15	5.6 MEDIUM	7.5 HIGH
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" \|\| p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
CVE-2020-28477 ↗	Jan 19, 2021Tuesday, 19 January 2021, 11:15	7.5 HIGH	5 MEDIUM
This affects all versions of package immer.