CVE Catalog

CVE-2026-29063

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.98%

58th percentile - higher than 58% of all known CVEs

Summary

Immutable.js is vulnerable to Prototype Pollution via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. The issue is fixed in versions 3.8.3, 4.3.7, and 5.1.5.

Risk Assessment

An attacker can exploit this vulnerability to modify global JavaScript objects, potentially leading to privilege escalation, arbitrary code execution, or data integrity compromise.

Recommendation

Immediately update Immutable.js to version 3.8.3, 4.3.7, or 5.1.5 depending on your branch.

Original NVD description (English source)

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS