CVE-2026-29063: Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
Security readout for executives and security teams
Plain-English summary
CVE-2026-29063 affects Immutable.js, a JavaScript library used in web and Node.js applications. Certain merge and object-conversion APIs can allow prototype pollution before the fixed versions. In business terms, applications that process attacker-controlled data through these APIs may face data tampering, service disruption, or broader compromise depending on usage.
Executive priority
Treat as high priority for internet-facing or data-processing JavaScript services. It is not confirmed as actively exploited in the provided sources, but the high CVSS score and common dependency pattern justify prompt inventory and upgrade work.
Technical view
Immutable.js before 3.8.3, 4.3.7, and 5.1.5 is vulnerable through mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). The issue is classified as CWE-1321 and CWE-915, with CVSS 8.8. The source bundle does not provide exploit details or application-specific prerequisites beyond low complexity and required privileges.
Likely exposure
Exposure is most likely in JavaScript or Node.js applications that include immutable or immutable-js versions below 3.8.3, 4.3.7, or 5.1.5 and pass untrusted structured data into the listed APIs.
Exploitation context
The source bundle marks KEV as false and provides no cited evidence of active exploitation. The CVSS vector indicates network reachability, low attack complexity, low privileges, and no user interaction, but real impact depends on how the library is used.
Researcher notes
The public bundle identifies affected APIs and fixed versions but does not include proof-of-concept material, exploit telemetry, or detailed vulnerable data-flow examples. Validation should focus on dependency resolution and whether untrusted object data reaches the affected Immutable.js APIs.
Mitigation direction
Upgrade Immutable.js to 3.8.3, 4.3.7, 5.1.5, or later as applicable.
Check vendor guidance for any Red Hat-packaged exposure and errata applicability.
Prioritize applications processing untrusted JSON or request bodies with the listed APIs.
Review dependency overrides or transitive dependencies that may pin vulnerable versions.
Validation and detection
Inventory package manifests, lockfiles, and SBOMs for immutable or immutable-js versions.
Confirm resolved versions meet the fixed release thresholds for the used major branch.
Review code paths using mergeDeep, mergeDeepWith, merge, Map.toJS, or Map.toObject.
Check whether attacker-controlled structured data reaches those APIs.
Verify CI or dependency scanning reports no vulnerable Immutable.js instances remain.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1321: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1321 · source CWE mapping
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Improperly Controlled Modification of Dynamically-Determined Object Attributes represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.