Home

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-06 | Updated 2026-03-06 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 3.8.3
affected

< 4.3.7
affected

< 5.1.5
affected

References

github.com/...ble-js/security/advisories/GHSA-wf6x-7x77-mvgw

github.com/immutable-js/immutable-js/releases/tag/v3.8.3

github.com/immutable-js/immutable-js/releases/tag/v4.3.8

github.com/immutable-js/immutable-js/releases/tag/v5.1.5

cve.org (CVE-2026-29063)

nvd.nist.gov (CVE-2026-29063)

Download JSON