CVE-2026-29063

Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

INFO

Published Date :

2026-03-06T18:25:22.438Z

Last Modified :

2026-03-06T19:33:31.642Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-29063 vulnerability.

Vendors	Products
Immutable-js	Immutable Immutable-js

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-29063.

URL	Resource
https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3
https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8
https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw
https://nvd.nist.gov/vuln/detail/CVE-2026-29063
https://www.cve.org/CVERecord?id=CVE-2026-29063