CVE-2026-29063

CRITICAL

Immutable.js <3.8.3/4.3.7/5.1.5 - Prototype Pollution

Title source: llm

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

References (4)

[Vendor Advisory] https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw

[Release Notes] https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3

[Release Notes] https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8

[Release Notes] https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5

Scores

CVSS v3 9.8

EPSS 0.0021

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (1)

immutable-js/immutable 3.0.0 - 3.8.3

Published Mar 06, 2026

Tracked Since Mar 07, 2026