Intel

AIKIDO-2026-445255

immer is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

65

Medium Risk

This Affects:

JSimmer
4.0.0 - 11.1.8
Fixed in 11.1.9
Are you affected? Scan for Free

TL;DR

Affected versions of the immer library are vulnerable to Prototype Pollution via draft.constructor.prototype, bypassing prior fixes for CVE-2021-23436. The proxy get trap returned constructor and __proto__ without guards, so attacker-controlled input (e.g. Object.assign(draft, req.body) with {"constructor":{"prototype":{"isAdmin":true}}}) can mutate Object.prototype and affect all objects. This may lead to authentication bypass, authorization escalation, or remote code execution.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

immer is vulnerable to Prototype Pollution in versions 4.0.0 - 11.1.8.

How to fix this

Upgrade the immer library to the patch version.