Platform
nodejs
Component
immutable
Opgelost in
3.8.4
4.3.8
5.1.6
4.3.8
CVE-2026-29063 describes a Prototype Pollution vulnerability discovered in Immutable.js, a popular JavaScript library for immutable data structures. This vulnerability allows attackers to manipulate the prototypes of JavaScript objects, potentially leading to unexpected behavior and code execution. The vulnerability affects versions prior to 4.3.8 and impacts Node.js applications utilizing Immutable.js. A fix has been released in version 4.3.8.
Prototype Pollution vulnerabilities arise when an attacker can inject properties into the prototypes of built-in JavaScript objects (like Object.prototype). In the case of Immutable.js, the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs are susceptible. Successful exploitation allows an attacker to modify the behavior of JavaScript code by altering the inherited properties of objects. This can lead to denial of service, information disclosure, or even remote code execution, depending on the application's usage of Immutable.js and the injected properties. The impact is particularly severe in applications that rely heavily on Immutable.js for data management and state persistence.
CVE-2026-29063 was publicly disclosed on March 4, 2026. While no active exploitation campaigns have been publicly reported, Prototype Pollution vulnerabilities are generally considered a high-risk concern due to their potential for widespread impact. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge as the vulnerability gains wider awareness.
Node.js applications utilizing Immutable.js versions prior to 4.3.8 are at risk. This includes applications that rely on Immutable.js for managing application state, data persistence, or any other data manipulation tasks. Projects using older versions of Node.js that may have outdated dependencies are also at increased risk.
• nodejs / server:
npm list immutable• nodejs / server:
npm audit immutable• generic web: Inspect application logs for unusual object property modifications, particularly those affecting built-in JavaScript objects.
disclosure
Exploit Status
EPSS
0.06% (19% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-29063 is to upgrade to Immutable.js version 4.3.8 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent malicious data from being merged into Immutable.js objects. Carefully review all data sources used with Immutable.js to ensure they are trusted. While not a direct fix, employing a Web Application Firewall (WAF) with prototype pollution detection rules can provide an additional layer of defense. Monitor application logs for unusual object property modifications that could indicate exploitation.
Actualice la biblioteca Immutable.js a la versión 3.8.3, 4.3.7 o 5.1.5, o a una versión posterior. Esto corrige la vulnerabilidad de Prototype Pollution en las APIs mergeDeep(), mergeDeepWith(), merge(), Map.toJS() y Map.toObject().
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-29063 is a Prototype Pollution vulnerability affecting Immutable.js versions before 4.3.8, allowing attackers to modify object prototypes and potentially execute arbitrary code.
If you are using Immutable.js versions prior to 4.3.8 in your Node.js application, you are potentially affected by this vulnerability.
Upgrade to Immutable.js version 4.3.8 or later to resolve this vulnerability. Consider input validation as an interim measure.
While no active exploitation campaigns have been publicly reported, the vulnerability poses a significant risk and exploitation is possible.
Refer to the Immutable.js project's release notes and security advisories on their GitHub repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.