CVE-2026-29063
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk58th percentile - higher than 58% of all known CVEs
Summary
Immutable.js is vulnerable to Prototype Pollution via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. The issue is fixed in versions 3.8.3, 4.3.7, and 5.1.5.
Risk Assessment
An attacker can exploit this vulnerability to modify global JavaScript objects, potentially leading to privilege escalation, arbitrary code execution, or data integrity compromise.
Recommendation
Immediately update Immutable.js to version 3.8.3, 4.3.7, or 5.1.5 depending on your branch.
Original NVD description (English source)
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

