CVE-2021-3757 – CVE-2021-3757 is a prototype pollution vulnerab... (How to Fix)

Q: How do I fix CVE-2021-3757?

1. Update package.json to use immer >=9.0.6. 2. Run 'npm update immer' or 'yarn upgrade immer'. 3. Restart the application. 4. Test application functionality.

Q: What is the severity of CVE-2021-3757?

CVE-2021-3757 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3757 is a prototype pollution vulnerability in the immer JavaScript library that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of immer for state management. The vulnerability is particularly dangerous in Node.js applications and frontend frameworks that use immer.

📋 TL;DR

CVE-2021-3757 is a prototype pollution vulnerability in the immer JavaScript library that allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. This affects any application using vulnerable versions of immer for state management. The vulnerability is particularly dangerous in Node.js applications and frontend frameworks that use immer.

💻 Affected Systems

Products:

immer
applications using immer library

Versions: immer versions < 9.0.6

Operating Systems: All platforms running Node.js or JavaScript environments

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using immer for state management is vulnerable regardless of configuration.

📦 What is this software?

Immer by Immer Project

View all CVEs affecting Immer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or privilege escalation by modifying application logic.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing application instability.

🌐 Internet-Facing: HIGH - Web applications using immer are directly exposed to malicious payloads via user inputs.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker-controlled input to immer functions. Public proof-of-concept demonstrates prototype pollution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: immer 9.0.6 and later

Vendor Advisory: https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237

Restart Required: Yes

Instructions:

1. Update package.json to use immer >=9.0.6. 2. Run 'npm update immer' or 'yarn upgrade immer'. 3. Restart the application. 4. Test application functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all data passed to immer functions

Object.freeze on prototypes

all

Freeze Object.prototype and other base prototypes to prevent modification

Object.freeze(Object.prototype);
Object.freeze(Array.prototype);

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) to limit script execution
Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for immer version <9.0.6. Run 'npm list immer' or check node_modules/immer/package.json.

Check Version:

npm list immer | grep immer or node -e "console.log(require('immer/package.json').version)"

Verify Fix Applied:

Confirm immer version is >=9.0.6. Test application with known safe inputs to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual object property modifications
Memory consumption spikes

Network Indicators:

Requests with specially crafted JSON payloads
Unusual patterns in API calls to state management endpoints

SIEM Query:

source="application.logs" AND ("immer" OR "prototype") AND ("crash" OR "error" OR "unexpected")

📊 Metadata

CVE ID: CVE-2021-3757

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: September 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237 Patch,Third Party Advisory
https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237 Patch,Third Party Advisory
https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3757, you might also want to check these: