Vulnerability Description
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Immutable-Js | Immutable | >= 3.0.0, < 3.8.3 |
Related Weaknesses (CWE)
References
- https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3Release Notes
- https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8Release Notes
- https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5Release Notes
- https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-ExploitVendor Advisory
FAQ
What is CVE-2026-29063?
CVE-2026-29063 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), ...
How severe is CVE-2026-29063?
CVE-2026-29063 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-29063?
Check the references section above for vendor advisories and patch information. Affected products include: Immutable-Js Immutable.