• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

immerjs / immer / 28511975630 / 1
44%
main: 46%

Build:
Build:
LAST BUILD BRANCH: dependabot/npm_and_yarn/sigstore/core-3.2.1
DEFAULT BRANCH: main
Ran 01 Jul 2026 10:47AM UTC
Files 28
Run time 1s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

01 Jul 2026 10:44AM UTC coverage: 43.615% (+0.4%) from 43.235%
28511975630.1

push

github

mweststrate
fix: prevent prototype pollution via constructor.prototype access (CVE-2026-XXXX)

VULNERABILITY ANALYSIS
======================

CVE: Prototype Pollution via draft.constructor.prototype (bypass of CVE-2021-23436)
CVSS: 9.8 (CRITICAL)
Affected: All versions including latest (11.1.8)
Impact: Authentication bypass, authorization escalation, potential RCE

ATTACK VECTORS BLOCKED
======================

Attack 1 - Dot Notation:
  produce({}, draft => {
    draft.constructor.prototype.isAdmin = true;
  });

Attack 2 - Bracket Notation:
  produce({}, draft => {
    draft["constructor"]["prototype"]["role"] = "admin";
  });

Attack 3 - Stored Reference:
  produce({data: {}}, draft => {
    const ctor = draft.data.constructor;
    ctor.prototype.privileged = true;
  });

REAL-WORLD SCENARIO
===================

Vulnerable express endpoint:
  app.post('/state', (req, res) => {
    const newState = produce(currentState, draft => {
      Object.assign(draft, req.body);  // user-controlled!
    });
  });

Attacker sends: {"constructor": {"prototype": {"isAdmin": true}}}
Result: ALL objects now have isAdmin = true → Authentication bypass

ROOT CAUSE
==========

The proxy's get trap returned constructor/__proto__ directly without guards,
allowing traversal to Function.prototype or Object.prototype for mutation.

SOLUTION IMPLEMENTED
====================

Modified src/core/proxy.ts objectTraps handler:

1. GET TRAP - Wraps reserved properties in sanitizing proxy:
   - Blocks .prototype access (returns frozen empty object)
   - Allows constructor calls: draft.arr.constructor(5) still works
   - Silently ignores writes to prevent pollution

2. SET TRAP - Blocks assignment to constructor, __proto__, prototype

3. HAS TRAP - Returns false for reserved properties

Implementation details:
- Returns proxy with get/set/apply traps for constructor/__proto__
- Prototype access returns Object.freeze(Object.create(null))
- Writes return true to silently fail without errors
- ap... (continued)

689 of 725 branches covered (95.03%)

Branch coverage included in aggregate %.

1736 of 4835 relevant lines covered (35.9%)

1548.55 hits per line

Source Files on job 28511975630.1
  • Tree
  • List 28
  • Changed 1
  • Source Changed 0
  • Coverage Changed 1
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Build 28511975630
  • bd0970b8 on github
  • Prev Job for on fix-prototype-vulnerability (#25563160629.1)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc