Prototype Pollution in Immutable.js v<3.8.3/4.3.7/5.1.5 via mergeDeep API
CVE-2026-29063 Published on March 6, 2026

Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

NVD

Vulnerability Analysis

CVE-2026-29063 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Prototype Pollution Vulnerability?

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CVE-2026-29063 has been classified to as a Prototype Pollution vulnerability or weakness.

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2026-29063 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2026-29063

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

immutable-js: Red Hat Migration Toolkit for Virtualization 2.1: Red Hat Migration Toolkit for Virtualization 2.9: Red Hat Network Observability (NETOBSERV) 1.11.2: Red Hat Network Observability (NETOBSERV) 1.12.0: Red Hat Advanced Cluster Management for Kubernetes 2.15: Red Hat Advanced Cluster Management for Kubernetes 2.16: Red Hat Advanced Cluster Security for Kubernetes 4.10: Red Hat Advanced Cluster Security for Kubernetes 4.8: Red Hat Advanced Cluster Security for Kubernetes 4.9: Red Hat Developer Hub 1.8: Red Hat Developer Hub 1.9: Red Hat Discovery 2: Red Hat OpenShift AI 2.25: Red Hat OpenShift AI 3.3: Red Hat OpenShift Container Platform 4.16: Red Hat OpenShift Container Platform 4.17: Red Hat OpenShift Container Platform 4.18: Red Hat OpenShift Container Platform 4.19: Red Hat OpenShift Container Platform 4.20: Red Hat OpenShift Container Platform 4.21: Red Hat OpenShift Pipelines 1.2: Red Hat OpenShift Service Mesh 2.6: Red Hat OpenShift Service Mesh 3.0: Red Hat OpenShift Service Mesh 3.1: Red Hat OpenShift Service Mesh 3.2: Red Hat OpenShift Service Mesh 3.3: Red Hat Quay 3.12: Red Hat Quay 3.15: Red Hat Quay 3.16: Red Hat Quay 3.17: Red Hat Quay 3.1: Red Hat Quay 3.9: Red Hat Satellite 6.18: Red Hat multicluster engine for Kubernetes 2.10: Red Hat multicluster engine for Kubernetes 2.11: Red Hat multicluster engine for Kubernetes 2.6: Red Hat multicluster engine for Kubernetes 2.7: Red Hat multicluster engine for Kubernetes 2.8: Red Hat multicluster engine for Kubernetes 2.9: Logging Subsystem for Red Hat OpenShift: Red Hat Migration Toolkit for Containers: Red Hat Node HealthCheck Operator: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat 3scale API Management Platform 2: Red Hat Ansible Automation Platform 2: Red Hat build of Apicurio Registry 2: Red Hat Connectivity Link 1: Red Hat Edge Manager 1: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 9: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift GitOps: Red Hat OpenShift Virtualization 4: Red Hat Satellite 6: Red Hat Self-service automation portal 2: Red Hat OpenShift Service Mesh 3: Red Hat Enterprise Linux 8:

Exploit Probability

EPSS
0.61%
Percentile
44.57%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.