CVE-2021-23436
Type Confusion vulnerability in immer (npm)
What is CVE-2021-23436 About?
The `immer` package before version 9.0.6 is vulnerable to a Type Confusion, enabling a bypass of a previous Prototype Pollution fix (CVE-2020-28477). This occurs when user-provided keys in `path` parameters are arrays, which can lead to unintended object modification. Exploitation is made possible by strict equality checks that fail when types differ.
Affected Software
Technical Details
The immer package versions prior to 9.0.6 are susceptible to a Type Confusion vulnerability that bypasses the Prototype Pollution fix provided by CVE-2020-28477. This bypass is specifically triggered when user-provided keys, intended for use in path parameters, are supplied as arrays instead of strings. The core issue lies in the applyPatches_ function, where a strict equality check like (p === "__proto__" || p === "constructor") is performed. When p is an array (e.g., ['__proto__']), the strict equality === operator correctly returns false because the type of p (array) does not match the type of the strings "__proto__" or "constructor". This type mismatch allows the malicious array key to bypass the intended security check, leading to unintended property modification on the object prototype under specific conditions.
What is the Impact of CVE-2021-23436?
Successful exploitation may allow attackers to bypass security restrictions, potentially leading to unintended modifications of object properties or the execution of arbitrary code in specific contexts by manipulating object prototypes.
What is the Exploitability of CVE-2021-23436?
Exploitation of this Type Confusion vulnerability requires the ability to provide user-controlled input as array-type keys to immer's path parameter. This implies a moderate level of complexity, as the attacker needs to understand the application's data flow and how it interacts with the immer library. There are no explicit authentication or privilege requirements; the vulnerability could potentially be triggered by an unauthenticated remote attacker if untrusted input directly influences the vulnerable component. Remote access is possible through an exposed application interface that processes user data. A key risk factor is applications that do not validate the type of keys provided when interacting with immer, especially when using path parameters, allowing arrays where strings are expected.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23436?
About the Fix from Resolved Security
The patch adds a test to prevent prototype pollution via patch operations and modifies the code to treat path segments strictly as strings when traversing object properties. This directly mitigates CVE-2021-23436 by ensuring that dangerous properties like proto, prototype, and constructor cannot be added or modified, blocking the common vectors for prototype pollution attacks.
Available Upgrade Options
- immer
- >7.0.0, <9.0.6 → Upgrade to 9.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-IMMER-1540542
- https://osv.dev/vulnerability/GHSA-33f9-j839-rf8h
- https://nvd.nist.gov/vuln/detail/CVE-2021-23436
- https://github.com/immerjs/immer
- https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237
- https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266
- https://snyk.io/vuln/SNYK-JS-IMMER-1540542
What are Similar Vulnerabilities to CVE-2021-23436?
Similar Vulnerabilities: CVE-2020-28477 , CVE-2021-23386 , CVE-2020-7699 , CVE-2020-7712 , CVE-2021-28091
