Skip to main content

Immutable.js CVE-2026-59880

| EUVDEUVD-2026-42315 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Untrusted keys can reach Map/Set over the network without auth or interaction (AV:N/PR:N/UI:N), collisions are easy to craft against a known hash (AC:L), and impact is CPU-exhaustion DoS only (A:H, C:N/I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:33 vuln.today

DescriptionCVE.org

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.

AnalysisAI

Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint ingesting user objects into Immutable Map
Delivery
Craft many keys colliding on 32-bit hash
Exploit
Submit oversized colliding payload
Execution
Force linear scans in HashCollisionNode
Persist
Exhaust CPU and stall event loop
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that attacker-controlled data be used to create keys in an Immutable.Map or Immutable.Set - specifically via one of the named ingestion paths Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep - on a vulnerable version (<4.3.9 or <5.1.8), and the attacker must supply enough distinct keys sharing the same 32-bit hash to inflate a HashCollisionNode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes an unauthenticated, low-complexity, network-reachable attack, and the impact metrics are honest: VC:N/VI:N with VA:H, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a large JSON object to an API endpoint whose handler calls Immutable.fromJS() or state.merge() on the request body; the object contains hundreds or thousands of keys deliberately chosen to collide on Immutable.js's 32-bit hash. Each insert and subsequent lookup triggers a linear scan of the growing collision bucket, so a single moderately-sized request pegs a CPU core and stalls the event loop, denying service to other users. …
Remediation Upgrade Immutable.js to 4.3.9 (4.x users) or 5.1.8 (5.x users), the vendor-released patched versions per GitHub releases v4.3.9 and v5.1.8 and advisory GHSA-xvcm-6775-5m9r; also update any transitive dependencies that pin an older immutable version by adjusting the lockfile or using npm overrides. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all applications and dependencies to identify use of Immutable.js and current installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy