CVE-2026-29063

Name of the Vulnerable Software and Affected Versions Immutable.js versions prior to 3.8.3 Immutable.js versions prior to 4.3.7 Immutable.js versions prior to 5.1.5

Description A Prototype Pollution issue exists in Immutable.js through versions prior to 3.8.3, 4.3.7, and 5.1.5, specifically within the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This allows for potential modification of the prototype chain, potentially leading to unexpected behavior or security compromises. The issue occurs because these APIs do not adequately guard against the introduction of properties onto the proto object during object merging or conversion. The mergeDeep() function iterates source keys via ObjectSeq and assigns merged[key]. The mergeDeepWith() function uses the same code path. The merge() function is a shallow variant with similar assignment logic. The Map.toJS() and Map.toObject() functions assign values without checking for proto properties. The Map.mergeDeep() function is also affected when the source is converted to a plain object. Proof-of-concept code demonstrates how an attacker can inject properties into the prototype chain via a crafted JSON payload, potentially escalating privileges or bypassing security checks.

Recommendations Update to Immutable.js version 3.8.3 or later. Update to Immutable.js version 4.3.7 or later. Update to Immutable.js version 5.1.5 or later.