A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29063

CVE-2026-29063: Immutable.js Prototype Pollution Flaw

CVE-2026-29063 is a prototype pollution vulnerability in Immutable.js affecting mergeDeep(), merge(), and other APIs. Attackers can exploit this to modify object prototypes. This article covers technical details, affected versions, impact, and mitigation steps.

Published: March 13, 2026

CVE-2026-29063 Overview

CVE-2026-29063 is a Prototype Pollution vulnerability affecting Immutable.js, a popular JavaScript library that provides Persistent Immutable data structures. The vulnerability exists in several core APIs including mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(). Attackers can exploit these functions to pollute the prototype chain of JavaScript objects, potentially leading to unauthorized data access, denial of service, or in some cases, remote code execution depending on the application context.

Critical Impact

Prototype Pollution in Immutable.js can allow attackers to modify object prototypes via vulnerable merge and conversion APIs, potentially compromising application security and data integrity across the entire JavaScript runtime.

Affected Products

  • Immutable.js versions prior to 3.8.3
  • Immutable.js versions 4.x prior to 4.3.7
  • Immutable.js versions 5.x prior to 5.1.5

Discovery Timeline

  • 2026-03-06 - CVE-2026-29063 published to NVD
  • 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-29063

Vulnerability Analysis

This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). Prototype Pollution occurs when an attacker can inject properties into JavaScript object prototypes through unsafe object operations. In the case of Immutable.js, the affected APIs fail to properly sanitize keys during deep merge operations and object conversions, allowing malicious payloads containing __proto__ or constructor.prototype to pollute the base Object prototype.

The network-accessible attack vector with no privileges required makes this vulnerability particularly concerning for applications that process untrusted user input through these Immutable.js APIs. When user-controlled data flows into mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), or Map.toObject() without proper sanitization, an attacker can modify the prototype chain of all JavaScript objects in the application runtime.

Root Cause

The root cause lies in insufficient validation of object keys during recursive merge operations and object conversion processes. The vulnerable functions do not properly check for dangerous prototype-related properties such as __proto__, constructor, or prototype before performing assignments. This allows specially crafted nested objects to traverse up the prototype chain and inject malicious properties that affect all objects inheriting from the polluted prototype.

Attack Vector

The attack vector for this vulnerability involves submitting maliciously crafted nested objects to applications using the vulnerable Immutable.js APIs. An attacker can exploit this by sending JSON payloads containing prototype pollution gadgets such as {"__proto__": {"polluted": true}} or {"constructor": {"prototype": {"polluted": true}}}. When processed by the vulnerable mergeDeep() or similar functions, these payloads modify the base Object prototype, potentially affecting application logic, bypassing security checks, or enabling further exploitation depending on how the application uses object properties.

The vulnerability mechanism can be understood by examining how the affected functions handle nested object structures. When processing input without proper key sanitization, the merge operations traverse object hierarchies and assign values at each level. By targeting special properties like __proto__, attackers can redirect these assignments to pollute shared prototypes. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-wf6x-7x77-mvgw.

Detection Methods for CVE-2026-29063

Indicators of Compromise

  • Unexpected properties appearing on JavaScript objects that were not explicitly defined
  • Application behavior changes indicating prototype chain modifications
  • HTTP requests or API calls containing __proto__, constructor.prototype, or similar prototype pollution payloads in JSON bodies
  • Unusual object property access patterns in application logs

Detection Strategies

  • Implement static analysis scanning to identify usage of vulnerable Immutable.js versions and affected API calls (mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), Map.toObject())
  • Deploy web application firewall (WAF) rules to detect and block requests containing prototype pollution attack patterns in JSON payloads
  • Use software composition analysis (SCA) tools to inventory Immutable.js dependencies and flag versions prior to 3.8.3, 4.3.7, or 5.1.5
  • Monitor application runtime for prototype modifications using Object.freeze() or Object.seal() on critical prototypes as canaries

Monitoring Recommendations

  • Enable verbose logging on API endpoints that process user-provided JSON data to capture suspicious payloads
  • Implement runtime monitoring to detect unexpected modifications to Object.prototype or other base prototypes
  • Set up alerts for dependency vulnerability scanners when new prototype pollution CVEs are published affecting JavaScript libraries

How to Mitigate CVE-2026-29063

Immediate Actions Required

  • Update Immutable.js to patched versions: 3.8.3 for the 3.x branch, 4.3.7 for the 4.x branch, or 5.1.5 for the 5.x branch
  • Audit application code to identify all usages of the vulnerable APIs: mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject()
  • Implement input validation to sanitize user-controlled data before passing to Immutable.js APIs, specifically blocking __proto__ and constructor keys
  • Run dependency vulnerability scans across all projects to identify affected Immutable.js versions

Patch Information

The Immutable.js maintainers have released security patches addressing this vulnerability across all supported version branches. Organizations should upgrade to the appropriate patched version based on their current deployment:

  • Version 3.x: Upgrade to v3.8.3
  • Version 4.x: Upgrade to v4.3.8
  • Version 5.x: Upgrade to v5.1.5

For additional details on the vulnerability and remediation, consult the GitHub Security Advisory GHSA-wf6x-7x77-mvgw.

Workarounds

  • Implement a sanitization layer to recursively remove __proto__, constructor, and prototype keys from user input before processing with Immutable.js
  • Use Object.freeze(Object.prototype) at application startup to prevent prototype modifications (note: this may break some libraries)
  • Wrap vulnerable API calls with validation functions that reject objects containing dangerous keys
bash
# Configuration example - Update Immutable.js via npm
npm update immutable@5.1.5

# Or for specific version branches:
npm install immutable@3.8.3  # For 3.x branch
npm install immutable@4.3.7  # For 4.x branch
npm install immutable@5.1.5  # For 5.x branch

# Audit for vulnerable dependencies
npm audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechImmutable Js
  • SeverityHIGH
  • CVSS Score8.7
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-1321
  • Technical References
  • GitHub Release v3.8.3
  • GitHub Release v4.3.8
  • GitHub Release v5.1.5
  • GitHub Security Advisory GHSA-wf6x-7x77-mvgw
  • Latest CVEs
  • CVE-2026-9813: FlowIntel SSRF Vulnerability
  • CVE-2026-4377: D-Link DWR-X1820 Auth Bypass Vulnerability
  • CVE-2026-47074: ex_aws_sns Auth Bypass Vulnerability
  • CVE-2026-46241: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English