Miggo Logo
Miggo Vulnerability Database
CVE-2021-3757

CVE-2021-3757: Prototype Pollution in immer

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2021-3757
GHSA ID
GHSA-c36v-fmgq-m8hx
EPSS Score
0.31142%
CWE
CWE-915
Published
9/7/2021
Updated
4/25/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
immernpm>= 7.0.0, < 9.0.69.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how path elements were processed in the patching mechanism. The key change in the fix was coercing path[i] to a string ("" + path[i]), indicating the original code accepted non-string path elements. This allowed malicious paths like [["proto"], "x"] where the array ["proto"] wasn't properly converted to a string key, enabling prototype pollution. The test case added in patch.js verifies this specific attack vector is blocked after the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

imm*r is vuln*r**l* to Improp*rly *ontroll** Mo*i*i**tion o* O*j**t Prototyp* *ttri*ut*s ('Prototyp* Pollution').

Reasoning

T** vuln*r**ility st*mm** *rom *ow p*t* *l*m*nts w*r* pro**ss** in t** p*t**in* m****nism. T** k*y ***n** in t** *ix w*s *o*r*in* p*t*[i] to * strin* ("" + p*t*[i]), in*i**tin* t** ori*in*l *o** ****pt** non-strin* p*t* *l*m*nts. T*is *llow** m*li*io