Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
CVSS
No CVSS.
References
Configurations
No configuration.
History
08 Jul 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r - |
08 Jul 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-08 16:16
Updated : 2026-07-08 17:17
NVD link : CVE-2026-59880
Mitre link : CVE-2026-59880
CVE.ORG link : CVE-2026-59880
JSON object : View
Products Affected
No product.
CWE
CWE-407
Inefficient Algorithmic Complexity
