Skip to main content

Immutable.js CVE-2026-59879

| EUVDEUVD-2026-42318 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-07-08 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Availability-only DoS reachable over the network with no auth or interaction when the app forwards untrusted numbers; scope unchanged, no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 16:56 vuln.today

DescriptionCVE.org

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 30 to 2 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.

AnalysisAI

Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint feeding numeric input to List
Delivery
Submit index/size value near 2^30
Exploit
Value reaches setListBounds in List.js
Execution
Trigger infinite loop or unbounded allocation
Impact
Process hang or abort (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application pass an attacker-influenced numeric value in the range 2^30 to 2^31 (approximately 1,073,741,824 to 2,147,483,647) into one of the affected APIs: List#set, List#setSize, List#setIn, List#updateIn, or the functional set/setIn/updateIn. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent but modest in real-world urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses Immutable.js and passes a user-supplied number - for example a pagination size, array index, or JSON field - into List#setSize or List#set. An attacker submits a value such as 1073741824 (2^30), and on an empty List the process enters an uncatchable infinite loop or, on a populated List, allocates memory until the Node.js process aborts, taking down the service. …
Remediation Upgrade to Vendor-released patch: 4.3.9 (for 4.x deployments) or 5.1.8 (for 5.x deployments); the fixes are in commits a1a1ee412dcaa380ab325196283d06594ffe4b84 and f0bc997d8eb9886aff2236635aa210a95a04304a and are referenced in advisory GHSA-v56q-mh7h-f735. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Immutable.js deployments across services and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy