Home

Description

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.

PUBLISHED Reserved 2026-07-07 | Published 2026-07-08 | Updated 2026-07-08 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-407: Inefficient Algorithmic Complexity

Product status

< 4.3.9
affected

>= 5.0.0-beta.1, < 5.1.8
affected

References

github.com/...ble-js/security/advisories/GHSA-xvcm-6775-5m9r exploit

github.com/...ble-js/security/advisories/GHSA-xvcm-6775-5m9r

github.com/...ommit/3dd7e5655012597a41873e328bf9142a8901527b

github.com/...ommit/e51d49fc612ded5ec4dfb94ff294d22074269b0f

github.com/immutable-js/immutable-js/releases/tag/v4.3.9

github.com/immutable-js/immutable-js/releases/tag/v5.1.8

cve.org (CVE-2026-59880)

nvd.nist.gov (CVE-2026-59880)

Download JSON