Skip to main content

Immutable Js

2 CVEs product

Monthly

CVE-2026-59879 HIGH PATCH This Week

Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.

Integer Overflow Denial Of Service Immutable Js
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59880 HIGH PATCH This Week

Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.

Information Disclosure Immutable Js
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.

Integer Overflow Denial Of Service Immutable Js
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Uncontrolled resource consumption in Immutable.js prior to 4.3.9 and 5.1.8 lets an attacker who controls keys inserted into an Immutable.Map or Immutable.Set exhaust CPU by supplying many keys that share the same 32-bit hash. Because collisions are stored in a HashCollisionNode bucket that is scanned linearly, insertion and lookup degrade from near-constant to quadratic time, producing a denial of service. No public exploit identified at time of analysis and no active exploitation is indicated, but the CVSS 4.0 score of 8.7 reflects an easy, unauthenticated, network-reachable availability impact wherever user-supplied objects reach these structures.

Information Disclosure Immutable Js
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy