13 Layers
SHARE

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In fastidious, this bypass is practicable because the precondition (p === “__proto__” || p === “constructor”) in applyPatches_ returns false if p is [‘__proto__’] (or [‘constructor’]). The === operator (strict equality operator) returns false if the operands have different type. (CVSS:0.0) (Closing Update:2021-09-01)

13 Layers Managed Security Services