Critical severity9.8NVD Advisory· Published Mar 6, 2026· Updated Apr 17, 2026
CVE-2026-29063
CVE-2026-29063
Description
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
immutablenpm | >= 4.0.0-rc.1, < 4.3.8 | 4.3.8 |
immutablenpm | >= 5.0.0, < 5.1.5 | 5.1.5 |
immutablenpm | < 3.8.3 | 3.8.3 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/argo-workflows-ui-4.0pkg:apk/chainguard/gitlab-rails-ce-19.0pkg:apk/chainguard/gitlab-rails-ce-fips-19.1pkg:apk/chainguard/rancher-api-uipkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/argo-workflows-ui-4.0pkg:apk/wolfi/rancher-api-uipkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/immutable
< 3.6.19-r3+ 13 more
- (no CPE)range: < 3.6.19-r3
- (no CPE)range: < 3.7.10-r4
- (no CPE)range: < 4.0.1-r4
- (no CPE)range: < 19.0.3-r1
- (no CPE)range: < 19.1.1-r1
- (no CPE)range: < 1.2.3-r6
- (no CPE)range: < 22.0.4-r6
- (no CPE)range: < 23.0.3-r7
- (no CPE)range: < 3.7.10-r4
- (no CPE)range: < 4.0.1-r4
- (no CPE)range: < 1.2.3-r6
- (no CPE)range: < 22.0.4-r6
- (no CPE)range: < 23.0.3-r7
- (no CPE)range: >= 4.0.0-rc.1, < 4.3.8
Patches
Vulnerability mechanics
References
10- github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgwnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-wf6x-7x77-mvgwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29063ghsaADVISORY
- github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945ghsaWEB
- github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9ghsaWEB
- github.com/immutable-js/immutable-js/commit/6ed4eb626906df788b08019061b292b90bc718cbghsaWEB
- github.com/immutable-js/immutable-js/issues/2178ghsaWEB
- github.com/immutable-js/immutable-js/releases/tag/v3.8.3nvdRelease NotesWEB
- github.com/immutable-js/immutable-js/releases/tag/v4.3.8nvdRelease NotesWEB
- github.com/immutable-js/immutable-js/releases/tag/v5.1.5nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.