CVE-2026-29063

Summary

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Affected Software

VendorProductVersion RangeStatus
immutable-jsimmutable-js< 3.8.3affected
immutable-jsimmutable-js< 4.3.7affected
immutable-jsimmutable-js< 5.1.5affected

Weaknesses

  • CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution

Additional References

References