Immutable Js
Monthly
Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.
Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.
Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.
Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.