Description
A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.
Recommendation
Update the immutable package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.8.3 >= 4.0.0-rc.1, < 4.3.8 >= 5.0.0, < 5.1.5** Patched version(s): **3.8.3 4.3.8 5.1.5**
References
Related Issues
- CASL Ability is Vulnerable to Prototype Pollution - CVE-2026-1774
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Tags:
- npm
- immutable
Anything's wrong? Let us know Last updated on March 06, 2026