#VU124825 Prototype pollution in Immutable.js - CVE-2026-29063
Published: April 2, 2026
Vulnerability identifier: #VU124825
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-29063
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Immutable.js
Immutable.js
Software vendor:
Immutable.js
Immutable.js
Description
The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.
The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.
Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().
Remediation
Install security update from vendor's website.