Description
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype pollution that permits unauthorized modification of Object.prototype
Action: Patch immediately
AI Analysis

Impact

Immutable.js, a library for persistent immutable data structures, exposes a prototype pollution flaw in several APIs. Prior to releases 3.8.3, 4.3.7, and 5.1.5, functions such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() can alter properties on Object.prototype when fed crafted input. This uncontrolled change corresponds to CWE‑1321 and could allow an attacker to inject malicious properties into every object created thereafter, undermining application integrity and potentially enabling denial‑of‑service.

Affected Systems

The vulnerability affects the Immutable.js library for JavaScript. Any installation using a version older than 3.8.3, 4.3.7, or 5.1.5 is susceptible. The issue was fixed in the corresponding release versions and all later updates.

Risk and Exploitability

The CVSS score is 8.7, placing this bug in the high severity range, while the EPSS score of less than 1 % indicates a low likelihood of exploitation. It is not listed in the KEV catalog. Based on the description, the attack vector is likely any scenario where an attacker supplies crafted data to the vulnerable APIs, allowing them to modify the global prototype chain and potentially compromise application functionality.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Immutable.js to at least version 3.8.3, 4.3.7, or 5.1.5 depending on your current major release so that the prototype pollution fix is in place.
  • Immediately remove or refactor any use of mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), or Map.toObject() that processes untrusted data; replace them with safer alternatives that do not alter Object.prototype.
  • Implement input validation on any data that originates from external sources to ensure it cannot construct prototype properties before being passed to Immutable.js functions.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Immutable-js immutable
CPEs cpe:2.3:a:immutable-js:immutable:*:*:*:*:*:node.js:*:*
Vendors & Products Immutable-js immutable
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Immutable-js
Immutable-js immutable-js
Vendors & Products Immutable-js
Immutable-js immutable-js

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
Title Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Immutable-js Immutable Immutable-js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T19:33:31.642Z

Reserved: 2026-03-03T20:51:43.481Z

Link: CVE-2026-29063

cve-icon Vulnrichment

Updated: 2026-03-06T19:32:46.434Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T19:16:21.557

Modified: 2026-04-17T21:32:18.947

Link: CVE-2026-29063

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T18:25:22Z

Links: CVE-2026-29063 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses