Prototype Pollution Vulnerability in Immutable.js
CVE-2026-29063

8.7HIGH

Key Information:

Vendor
CVE Published:
6 March 2026

What is CVE-2026-29063?

Prior to specified versions, Immutable.js is vulnerable to Prototype Pollution through various APIs including mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). This vulnerability allows attackers to manipulate object prototypes, which may lead to unexpected application behavior or system compromise. The issue has been addressed in versions 3.8.3, 4.3.7, and 5.1.5 with appropriate fixes to safeguard against such exploitation.

Affected Version(s)

immutable-js < 3.8.3 < 3.8.3

immutable-js < 4.3.7 < 4.3.7

immutable-js < 5.1.5 < 5.1.5

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.