CVE-2026-59879
HIGH Exploitation: PoC
8.7
CVSS 4.0
Description
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
Metadata
Severity & Metrics
8.7
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| immutable-js | immutable-js | — | >= 5.0.0-beta.1, < 5.1.8, < 4.3.9 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.7 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
References (5)
- https://github.com/immutable-js/immutable-js/security/advisories/GHSA-v56q-mh7h-f735 https://github.com/immutable-js/immutable-js/security/advisories/GHSA-v56q-mh7h-f735
- https://github.com/immutable-js/immutable-js/commit/a1a1ee412dcaa380ab325196283d06594ffe4b84 https://github.com/immutable-js/immutable-js/commit/a1a1ee412dcaa380ab325196283d06594ffe4b84
- https://github.com/immutable-js/immutable-js/commit/f0bc997d8eb9886aff2236635aa210a95a04304a https://github.com/immutable-js/immutable-js/commit/f0bc997d8eb9886aff2236635aa210a95a04304a
- https://github.com/immutable-js/immutable-js/releases/tag/v4.3.9 https://github.com/immutable-js/immutable-js/releases/tag/v4.3.9
- https://github.com/immutable-js/immutable-js/releases/tag/v5.1.8 https://github.com/immutable-js/immutable-js/releases/tag/v5.1.8