CVE-2026-29063: Immutable Js Iterate Unguarded Key Assignment Prototype Pollution
Iteration callback writes `$OBJ[$K] = $V` to a plain object without filtering prototype-polluting keys (e.g. '__proto__', 'constructor'). When the iterated collection's keys are attacker-controlled (e.g. an Immutable.Map built from `fromJS(JSON.parse(input))`), this triggers the prototype setter and pollutes the returned object's prototype (CVE-2026-29063, C
greprules fetch cve-2026-29063-immutable-js-iterate-unguarded-key-assignment-prototype-pollution --engine opengrepDescription
Iteration callback writes `$OBJ[$K] = $V` to a plain object without filtering prototype-polluting keys (e.g. '__proto__', 'constructor'). When the iterated collection's keys are attacker-controlled (e.g. an Immutable.Map built from `fromJS(JSON.parse(input))`), this triggers the prototype setter and pollutes the returned object's prototype (CVE-2026-29063, C
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.