CVE-2021-23436: 
JavaScript vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2021-23436) was discovered in the Node.js immer module affecting versions 7.0.0 to 9.0.6. The vulnerability allows bypassing the previous fix for CVE-2020-28477 when user-provided keys used in the path parameter are arrays (SNYK-JS-IMMER-1540542).

The vulnerability exists because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). This occurs because the === operator (strict equality operator) returns false if the operands have different types. When array values are provided as input, the type confusion allows bypassing the prototype pollution protection that was implemented to fix CVE-2020-28477 (SNYK-JS-IMMER-1540542, GitHub Commit).

The vulnerability could lead to prototype pollution, which allows an attacker to inject properties into existing JavaScript language construct prototypes. This can result in denial of service by triggering JavaScript exceptions or tampering with application source code to force unintended code execution paths (SNYK-JS-IMMER-1540542).

The vulnerability was fixed in version 9.0.6 of the immer package. The fix prevents this scenario by converting the path components to a string before being checked if they are not already of number or string type. Users should upgrade to version 9.0.6 or higher (SNYK-JS-IMMER-1540542).