CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...

CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...

CVE-2026-29063

CVE-2026-29063 affects Immutable.js, where prototype pollution is possible via mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs in versions prior to 3.8.3, 4.3.7, and 5.1.5. IBM security bulletins corroborate the issue and list affected IBM products (e.g., Cloud Pak for ...

GHSA-WF6X-7X77-MVGW Immutable is vulnerable to Prototype Pollution

Impact What kind of vulnerability is it? Who is impacted? A Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. Affected APIs | API | Notes | | --------------------------------------- |...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject functions. An attacker can inject arbitrary properties into object prototypes by supplying crafted input containing special keys, potentially leading...

EUVD-2025-203121

Vuetify has a Prototype Pollution vulnerability...

Prototype Pollution

Overview org.webjars.npm:vuetify is an a Material Design component framework for Vue.js. Affected versions of this package are vulnerable to Prototype Pollution via the mergeDeep function used to merge preset options with defaults. An attacker can inject arbitrary properties into all JavaScript...

CVE-2025-8083 Vuetify Prototype Pollution via Preset options

The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/PrototypePollutionPreventionCheatSheet.html due to the internal 'mergeDeep' utility function used to merge options with...

CVE-2025-8083

Vuetify CVE-2025-8083 is a Prototype Pollution flaw in the Preset configuration feature via internal mergeDeep when merging malicious presets. Affected: Vuetify >=2.2.0-beta.2 and

Elysia vulnerable to prototype pollution with multiple standalone schema validation

Prototype pollution vulnerability in mergeDeep after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the proto prop to be merged. When combined with GHSA-8vch-m3f4-q8jf...

GHSA-HXJ9-33PP-J2CC Elysia vulnerable to prototype pollution with multiple standalone schema validation

Prototype pollution vulnerability in mergeDeep after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the proto prop to be merged. When combined with GHSA-8vch-m3f4-q8jf...

EUVD-2021-1394

Malware in sbrugna...

EUVD-2018-0254

Malware in sbrugna...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:ag-grid-community is a fully-featured and highly customizable JavaScript data grid. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the .mergeDeep function. An attacker can execute...

Prototype Pollution

Overview web3-utils is a Collection of utility functions used in web3.js. Affected versions of this package are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading ...

react-here-map-interactive (>=0.0.1 <=0.9.2) potentially affected by CVE-2021-23700 via merge-deep2 (=3.0.6)

merge-deep2 NPM version =3.0.6 is affected by a known vulnerability. The following packages have a transitive dependency on merge-deep2 and may be impacted: - react-here-map-interactive =0.0.1, =0.9.2 Source cves: CVE-2021-23700 Source advisory: OSV:GHSA-J28Q-P8WW-CP87...

merge-deep 代码问题漏洞

merge-deep is an open source tool . It is used to recursively merge values in JavaScript objects. A code issue vulnerability exists in Nerge-deep2 that stems from the product's susceptibility to prototype contamination by the mergeDeep function. The following products and versions are affected:...

react-here-map-interactive (>=0.0.1 <=0.9.2) potentially affected by CVE-2021-23700 via merge-deep2 (=3.0.6)

merge-deep2 NPM version =3.0.6 is affected by a known vulnerability. The following packages have a transitive dependency on merge-deep2 and may be impacted: - react-here-map-interactive =0.0.1, =0.9.2 Source cves: CVE-2021-23700 Source advisory: SNYK:JS-MERGEDEEP2-1727593...

Prototype Pollution

Overview merge-deep before 3.0.3 can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library. Recommendation...

@byinti/inticli (>=0.1.0 <=2.1.1), @firecubez/req (=1.2.0) +72 more potentially affected by CVE-2021-26707 via merge-deep (>=0.1.5 <=3.0.2)

merge-deep NPM version =0.1.5, =0.1.0, =1.0.2, =7.0.0, =5.2.0, =6.0.1, =0.0.0, =0.1.0-beta.2, =0.22.0, =1.0.0, =0.0.1, =0.0.2, =0.0.3 and more Source cves: CVE-2021-26707 Source advisory: OSV:GHSA-R6RJ-9CH6-G264...