Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Untrusted keys can reach Map/Set over the network without auth or interaction (AV:N/PR:N/UI:N), collisions are easy to craft against a known hash (AC:L), and impact is CPU-exhaustion DoS only (A:H, C:N/I:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
AnalysisAI
Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that attacker-controlled data be used to create keys in an Immutable.Map or Immutable.Set - specifically via one of the named ingestion paths Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep - on a vulnerable version (<4.3.9 or <5.1.8), and the attacker must supply enough distinct keys sharing the same 32-bit hash to inflate a HashCollisionNode. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes an unauthenticated, low-complexity, network-reachable attack, and the impact metrics are honest: VC:N/VI:N with VA:H, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a large JSON object to an API endpoint whose handler calls Immutable.fromJS() or state.merge() on the request body; the object contains hundreds or thousands of keys deliberately chosen to collide on Immutable.js's 32-bit hash. Each insert and subsequent lookup triggers a linear scan of the growing collision bucket, so a single moderately-sized request pegs a CPU core and stalls the event loop, denying service to other users. … |
| Remediation | Upgrade Immutable.js to 4.3.9 (4.x users) or 5.1.8 (5.x users), the vendor-released patched versions per GitHub releases v4.3.9 and v5.1.8 and advisory GHSA-xvcm-6775-5m9r; also update any transitive dependencies that pin an older immutable version by adjusting the lockfile or using npm overrides. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all applications and dependencies to identify use of Immutable.js and current installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Immutable Js
View allSame weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42315