CVE-2020-28477
Prototype Pollution vulnerability in immer (npm)
What is CVE-2020-28477 About?
Affected versions of Immer are vulnerable to Prototype Pollution, where attackers can add or modify properties of the Object prototype. This allows for arbitrary property injection and can lead to denial of service or other critical impacts. Exploitation is demonstrated via `applyPatches` and is relatively easy given a controlled input.
Affected Software
Technical Details
The immer library, within its affected versions, is vulnerable to Prototype Pollution. This flaw allows an attacker to inject or modify arbitrary properties on the global Object.prototype. The proof-of-exploit demonstrates this using the applyPatches function. By supplying a crafted patch array, such as [ { op: 'add', path: [ '__proto__', 'polluted' ], value: 'yes' } ], the attacker can directly target and modify properties of Object.prototype. Once a property is added to Object.prototype, it affects all objects in the application through the prototype chain. This can lead to various attacks, including denial of service (by overwriting critical functions or values), arbitrary code execution (especially in contexts where object properties influence execution flow), or information disclosure.
What is the Impact of CVE-2020-28477?
Successful exploitation may allow attackers to achieve denial of service, arbitrary code execution, or unauthorized data manipulation by modifying core JavaScript object prototypes.
What is the Exploitability of CVE-2020-28477?
Exploitation of this vulnerability is of low to medium complexity, as it requires the attacker to control input that eventually reaches the applyPatches function (or similar vulnerable methods) within immer. No authentication is typically required if the vulnerable function processes user-supplied data in an unauthenticated context. This is often a remote exploitation scenario, depending on how external input is handled. The attacker does not explicitly need elevated privileges, but successful exploitation can lead to privilege escalation. Special conditions include the application exposing an endpoint that processes data which can be transformed into immer patches directly or indirectly. The primary risk factor is applications accepting and processing untrusted structured data (e.g., JSON) that can be interpreted as patches for immer.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28477?
About the Fix from Resolved Security
The patch prevents patch operations from modifying the special properties __proto__, constructor, and prototype on plain objects and arrays, which addresses the prototype pollution vulnerability tracked as CVE-2020-28477. By blocking patches that target these paths and throwing an error, the patch ensures attackers cannot inject properties into global prototypes, thereby preventing potential arbitrary code execution or privilege escalation through polluted prototypes.
Available Upgrade Options
- immer
- >7.0.0, <8.0.1 → Upgrade to 8.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5
- https://snyk.io/vuln/SNYK-JS-IMMER-1019369
- https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
- https://snyk.io/vuln/SNYK-JS-IMMER-1019369
- https://github.com/immerjs/immer/issues/738
- https://www.npmjs.com/package/immer
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986
- https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
- https://nvd.nist.gov/vuln/detail/CVE-2020-28477
- https://osv.dev/vulnerability/GHSA-9qmh-276g-x5pj
What are Similar Vulnerabilities to CVE-2020-28477?
Similar Vulnerabilities: CVE-2020-8158 , CVE-2022-24903 , CVE-2021-23382 , CVE-2020-7694 , CVE-2019-10744
