Description
A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.
Recommendation
Update the immutable package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.8.3 >= 4.0.0-rc.1, < 4.3.8 >= 5.0.0, < 5.1.5** Patched version(s): **3.8.3 4.3.8 5.1.5**
References
Related Issues
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
- Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization - CVE-2026-6594
You might also like:
- Tags:
- npm
- immutable
Anything's wrong? Let us know Last updated on April 24, 2026