CVE-2026-29063
Prototype Pollution in Immutable.js via Merge and Map APIs
Publication date: 2026-03-06
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| immutable-js | immutable | From 3.0.0 (inc) to 3.8.3 (exc) |
| immutable-js | immutable | From 4.0.0 (inc) to 4.3.7 (exc) |
| immutable-js | immutable | From 5.0.0 (inc) to 5.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29063 is a Prototype Pollution vulnerability in the immutable-js library, affecting versions prior to 3.8.3, 4.3.7, and 5.1.5. This vulnerability allows attackers to improperly modify JavaScript object prototype attributes via several APIs such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). These APIs fail to properly filter or guard against the injection of __proto__ properties, enabling attackers to inject or overwrite prototype properties like admin or role on objects.
The pollution affects only the object instances returned by these APIs and does not modify the global Object.prototype, which prevents global prototype pollution but still allows stealthy privilege escalations. Injected properties do not appear in Object.keys() but are accessible via property lookup, evading common security checks.
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation by allowing attackers to inject arbitrary properties into the prototype of objects returned by the vulnerable APIs. For example, an attacker could set properties such as admin: true or role: admin on user profile objects, potentially bypassing security checks and gaining unauthorized access or elevated privileges.
Because the injected properties do not appear in Object.keys() but are accessible through property lookup, they can evade detection by common security mechanisms, making the attack stealthy and harder to detect.
The vulnerability has a high severity with a CVSS score of 8.7, can be exploited remotely without any privileges or user interaction, and impacts confidentiality by allowing unauthorized access to sensitive properties.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this Prototype Pollution vulnerability involves checking if your application uses vulnerable versions of the immutable-js library (versions prior to 3.8.3, 4.3.7, and 5.1.5) and if it calls the affected APIs: mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject().'}, {'type': 'paragraph', 'content': "Since the vulnerability allows injection of __proto__ properties that do not appear in Object.keys() but are accessible via property lookup, you can attempt to detect pollution by inspecting objects returned from these APIs for unexpected prototype properties such as 'admin' or 'role'."}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Audit your package.json or dependency lock files to identify the immutable-js version in use.'}, {'type': 'list_item', 'content': "Use static code analysis or grep to find usage of the vulnerable APIs in your codebase, e.g., searching for 'mergeDeep', 'mergeDeepWith', 'merge', 'toJS', or 'toObject'."}, {'type': 'list_item', 'content': 'In a Node.js runtime, you can write test scripts that merge objects containing __proto__ keys and check if the resulting objects have polluted prototype properties.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and recommended mitigation is to upgrade the immutable-js library to a patched version: 3.8.3, 4.3.7, or 5.1.5 or later.'}, {'type': 'paragraph', 'content': 'Additional mitigation steps include:'}, {'type': 'list_item', 'content': "Validate and sanitize user input to disallow keys named '__proto__' to prevent injection of prototype properties."}, {'type': 'list_item', 'content': "Use the Node.js runtime flag '--disable-proto' to disable prototype pollution via __proto__."}, {'type': 'list_item', 'content': 'Lock down built-in objects and avoid prototype lookups in your application code.'}, {'type': 'list_item', 'content': 'Create objects with null prototypes where possible to avoid prototype pollution.'}] [3, 1, 2, 4]