9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23436

GHSA ID

GHSA-33f9-j839-rf8h

EPSS Score

0.30227%

CWE

CWE-843

Published

9/2/2021

Updated

4/30/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23436

CVE-2021-23436: Prototype Pollution in immer

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23436

GHSA ID

GHSA-33f9-j839-rf8h

EPSS Score

0.30227%

CWE

CWE-843

Published

9/2/2021

Updated

4/30/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
immer	npm	>= 7.0.0, < 9.0.6	9.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from path element processing in applyPatches_ where path[i] could be an array (e.g., ['proto']). The strict equality check (p === 'proto') fails because array vs string type mismatch, allowing prototype pollution. The patch converts path[i] to string ('' + path[i]), confirming the vulnerable code was in this path processing loop. The test case added in tests/patch.js directly targets this scenario, and the CVE description explicitly references the applyPatches_ function's condition check as the vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** imm*r ***or* *.*.*. * typ* *on*usion vuln*r**ility **n l*** to * *yp*ss o* *V*-****-***** w**n t** us*r-provi*** k*ys us** in t** p*t* p*r*m*t*r *r* *rr*ys. In p*rti*ul*r, t*is *yp*ss is possi*l* ****us* t** *on*ition `(p ===

Reasoning

T** vuln*r**ility st*ms *rom p*t* *l*m*nt pro**ssin* in *pplyP*t***s_ w**r* p*t*[i] *oul* ** *n *rr*y (*.*., ['__proto__']). T** stri*t *qu*lity ****k (p === '__proto__') **ils ****us* *rr*y vs strin* typ* mism*t**, *llowin* prototyp* pollution. T**

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-23436: Prototype Pollution in immer

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI