CVE-2026-29063
Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
| CWE | CWE-1321 |
| Vendor | immutable-js |
| Product | immutable-js |
| Published | Mar 6, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for immutable-js immutable-js
Be the first to know when new unknown vulnerabilities affecting immutable-js immutable-js are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
immutable-js / immutable-js
< 3.8.3 < 4.3.7 < 5.1.5
References
github.com: https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw github.com: https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3 github.com: https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8 github.com: https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5