CVE-2021-3757 Overview
CVE-2021-3757 is a critical Prototype Pollution vulnerability affecting the Immer JavaScript library, a popular immutable state management tool widely used in React and Redux applications. The vulnerability allows attackers to modify the prototype of base objects through specially crafted input, potentially leading to remote code execution, denial of service, or security control bypass in applications using vulnerable versions of Immer.
Critical Impact
This prototype pollution vulnerability can be exploited remotely without authentication, potentially compromising the confidentiality, integrity, and availability of affected applications. As a follow-up to CVE-2020-28477, this variant exploits path arrays containing __proto__ to bypass previous security fixes.
Affected Products
- immer_project immer (Node.js package)
- Applications using vulnerable versions of the Immer library
- React/Redux applications leveraging Immer for immutable state management
Discovery Timeline
- 2021-09-02 - CVE-2021-3757 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3757
Vulnerability Analysis
This vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The flaw exists in Immer's patch application mechanism within the src/plugins/patches.ts file.
The vulnerability represents a bypass of the previous fix for CVE-2020-28477. While the earlier patch addressed direct __proto__ string manipulation, attackers discovered that using nested array paths like path: [["__proto__"], "x"] could circumvent the security controls. When processing patches, the vulnerable code would iterate through path elements without properly sanitizing them, allowing prototype chain manipulation.
Root Cause
The root cause lies in the insufficient type coercion of path elements during patch application. When iterating through the path array, the vulnerable code directly used path elements without converting them to strings. This allowed attackers to pass array-wrapped prototype keys that would be evaluated differently during comparison checks but still resolve to __proto__ when used as property accessors.
The fix addresses this by explicitly converting path elements to strings using the expression "" + path[i], ensuring consistent type handling and preventing the bypass technique.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can craft malicious patch objects with specially constructed path arrays and submit them to an application that uses Immer to apply patches to state objects.
When the vulnerable applyPatches function processes the malicious input, the __proto__ property gets modified on the base object, potentially polluting the prototype chain of all JavaScript objects in the application context. This can lead to:
- Remote code execution through polluted properties used in sensitive operations
- Denial of service by corrupting critical object behaviors
- Authentication bypass if prototype properties affect security decisions
let base: any = draft
for (let i = 0; i < path.length - 1; i++) {
const parentType = getArchtype(base)
- const p = path[i]
+ const p = "" + path[i]
// See #738, avoid prototype pollution
if (
(parentType === Archtype.Object || parentType === Archtype.Array) &&
Source: GitHub Commit
Detection Methods for CVE-2021-3757
Indicators of Compromise
- Unexpected modifications to Object.prototype properties in application runtime
- Anomalous behavior in JavaScript objects that inherit unexpected properties
- Application crashes or unexpected behavior in state management operations
- Suspicious patch payloads containing nested arrays with __proto__ strings
Detection Strategies
- Monitor application logs for errors related to prototype chain corruption
- Implement runtime checks for unexpected properties on Object.prototype
- Scan application dependencies using software composition analysis (SCA) tools to identify vulnerable Immer versions
- Review incoming patch objects for malicious path patterns containing prototype-related strings
Monitoring Recommendations
- Deploy application performance monitoring to detect unusual JavaScript object behavior
- Implement Content Security Policy (CSP) headers to mitigate potential code execution consequences
- Use Node.js security modules that freeze Object.prototype to detect modification attempts
- Enable verbose logging for state management operations in production environments
How to Mitigate CVE-2021-3757
Immediate Actions Required
- Update Immer to the latest patched version immediately
- Audit applications for any usage of the applyPatches API with untrusted input
- Implement input validation to reject patch objects with suspicious path patterns
- Consider freezing Object.prototype in critical application contexts as a defense-in-depth measure
Patch Information
The Immer project has released a security patch addressing this vulnerability. The fix involves converting path elements to strings explicitly before processing, preventing the array-wrapped bypass technique. The security commit fa671e55ee9bd42ae08cc239102b665a23958237 contains the complete fix.
For detailed patch information, refer to the GitHub Commit Changes and the Huntr Bounty Report.
Workarounds
- If immediate patching is not possible, implement input sanitization to reject patch paths containing __proto__, constructor, or prototype strings
- Use Object.freeze() on Object.prototype in application initialization as a temporary protective measure
- Wrap Immer's applyPatches function with custom validation logic that inspects path arrays
- Consider using alternative state management approaches for handling untrusted external input
# Update Immer to latest version
npm update immer
# Or install specific patched version
npm install immer@latest
# Audit project dependencies for vulnerable versions
npm audit
# Check current Immer version
npm list immer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
