Executive Summary

CVE-2026-29063 is a Prototype Pollution vulnerability in the immutable-js library, affecting versions prior to 3.8.3, 4.3.7, and 5.1.5. This vulnerability allows attackers to improperly modify JavaScript object prototype attributes via several APIs such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). These APIs fail to properly filter or guard against the injection of __proto__ properties, enabling attackers to inject or overwrite prototype properties like admin or role on objects.

The pollution affects only the object instances returned by these APIs and does not modify the global Object.prototype, which prevents global prototype pollution but still allows stealthy privilege escalations. Injected properties do not appear in Object.keys() but are accessible via property lookup, evading common security checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to privilege escalation by allowing attackers to inject arbitrary properties into the prototype of objects returned by the vulnerable APIs. For example, an attacker could set properties such as admin: true or role: admin on user profile objects, potentially bypassing security checks and gaining unauthorized access or elevated privileges.

Because the injected properties do not appear in Object.keys() but are accessible through property lookup, they can evade detection by common security mechanisms, making the attack stealthy and harder to detect.

The vulnerability has a high severity with a CVSS score of 8.7, can be exploited remotely without any privileges or user interaction, and impacts confidentiality by allowing unauthorized access to sensitive properties.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this Prototype Pollution vulnerability involves checking if your application uses vulnerable versions of the immutable-js library (versions prior to 3.8.3, 4.3.7, and 5.1.5) and if it calls the affected APIs: mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject().'}, {'type': 'paragraph', 'content': "Since the vulnerability allows injection of __proto__ properties that do not appear in Object.keys() but are accessible via property lookup, you can attempt to detect pollution by inspecting objects returned from these APIs for unexpected prototype properties such as 'admin' or 'role'."}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Audit your package.json or dependency lock files to identify the immutable-js version in use.'}, {'type': 'list_item', 'content': "Use static code analysis or grep to find usage of the vulnerable APIs in your codebase, e.g., searching for 'mergeDeep', 'mergeDeepWith', 'merge', 'toJS', or 'toObject'."}, {'type': 'list_item', 'content': 'In a Node.js runtime, you can write test scripts that merge objects containing __proto__ keys and check if the resulting objects have polluted prototype properties.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and recommended mitigation is to upgrade the immutable-js library to a patched version: 3.8.3, 4.3.7, or 5.1.5 or later.'}, {'type': 'paragraph', 'content': 'Additional mitigation steps include:'}, {'type': 'list_item', 'content': "Validate and sanitize user input to disallow keys named '__proto__' to prevent injection of prototype properties."}, {'type': 'list_item', 'content': "Use the Node.js runtime flag '--disable-proto' to disable prototype pollution via __proto__."}, {'type': 'list_item', 'content': 'Lock down built-in objects and avoid prototype lookups in your application code.'}, {'type': 'list_item', 'content': 'Create objects with null prototypes where possible to avoid prototype pollution.'}] [3, 1, 2, 4]

Useful 0 Not Useful 0