CVE-2021-3757
Prototype Pollution vulnerability in immer (npm)
What is CVE-2021-3757 About?
This vulnerability is an Improperly Controlled Modification of Object Prototype Attributes, commonly known as 'Prototype Pollution', affecting the immer library. It allows attackers to inject or modify properties of an object's prototype, potentially leading to denial of service, remote code execution, or data tampering. Exploitation can vary in difficulty depending on the application's usage of JavaScript objects and prototypes.
Affected Software
Technical Details
The vulnerability arises because the immer library fails to adequately sanitize or validate input when handling object properties, specifically when modifying or creating new objects. This allows an attacker to manipulate the 'proto' property of an object or other constructor properties, which exist on the object's prototype chain. By injecting malicious properties or values into the prototype, these properties can be inherited by all objects in the application, leading to widespread unexpected behavior, data alteration, security bypasses, or even arbitrary code execution if the application uses prototype properties in security-sensitive contexts. The attack vector typically involves supplying specially crafted JSON or other data that includes 'proto' keys.
What is the Impact of CVE-2021-3757?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, leading to denial of service, remote code execution, or data tampering across the application.
What is the Exploitability of CVE-2021-3757?
Exploitation of Prototype Pollution generally requires the attacker to be able to supply controlled input that is processed in a way that allows arbitrary property modification on object prototypes. The complexity is moderate to high, as it depends heavily on how the application handles and merges data. Authentication might not be required if the vulnerable code path is accessible to unauthenticated users, or it could be required if it's tied to an authenticated function. Privilege requirements are typically low, as the attack targets the application's runtime environment rather than system privileges. It can be exploited remotely if the input vector is accessible over the network. Special conditions include the application using vulnerable JavaScript object handling patterns. Risk factors increase when user-supplied input is merged deeply into objects without proper validation or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3757?
About the Fix from Resolved Security
The patch prevents prototype pollution by ensuring that special properties like proto, prototype, and constructor cannot be set through patch operations, effectively mitigating CVE-2021-3757. By explicitly converting path segments to strings and checking them, it blocks attackers from exploiting complex patch paths to inject malicious properties into object prototypes.
Available Upgrade Options
- immer
- >7.0.0, <9.0.6 → Upgrade to 9.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa
- https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237
- https://osv.dev/vulnerability/GHSA-c36v-fmgq-m8hx
- https://github.com/immerjs/immer
- https://nvd.nist.gov/vuln/detail/CVE-2021-3757
- https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237
- https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa
What are Similar Vulnerabilities to CVE-2021-3757?
Similar Vulnerabilities: CVE-2020-28168 , CVE-2020-7760 , CVE-2020-7729 , CVE-2019-10744 , CVE-2020-15250
