Main Vulnerability Database Vulnerabilities #VU124825

Prototype pollution in Immutable.js - CVE-2026-29063

Published: April 2, 2026 / Updated: April 2, 2026

Vulnerability identifier: #VU124825

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29063

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Immutable.js

Affected software:
Immutable.js

Detailed vulnerability description

The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().

How to mitigate CVE-2026-29063

Install security update from vendor's website.

Prototype pollution in Immutable.js - CVE-2026-29063

Detailed vulnerability description

How to mitigate CVE-2026-29063

Sources

Please verify you're human