immer is vulnerable to Prototype Pollution
65
Medium Risk
Affected versions of the immer library are vulnerable to Prototype Pollution via draft.constructor.prototype, bypassing prior fixes for CVE-2021-23436. The proxy get trap returned constructor and __proto__ without guards, so attacker-controlled input (e.g. Object.assign(draft, req.body) with {"constructor":{"prototype":{"isAdmin":true}}}) can mutate Object.prototype and affect all objects. This may lead to authentication bypass, authorization escalation, or remote code execution.
You are affected if you are using a version that falls within the vulnerable range.
immer is vulnerable to Prototype Pollution in versions 4.0.0 - 11.1.8.
Upgrade the immer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant