Prototype Pollution Vulnerability in Immutable.js
CVE-2026-29063
8.7HIGH
What is CVE-2026-29063?
Prior to specified versions, Immutable.js is vulnerable to Prototype Pollution through various APIs including mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). This vulnerability allows attackers to manipulate object prototypes, which may lead to unexpected application behavior or system compromise. The issue has been addressed in versions 3.8.3, 4.3.7, and 5.1.5 with appropriate fixes to safeguard against such exploitation.
Affected Version(s)
immutable-js < 3.8.3 < 3.8.3
immutable-js < 4.3.7 < 4.3.7
immutable-js < 5.1.5 < 5.1.5
