CVE-2026-59880

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
CVSS

No CVSS.

Configurations

No configuration.

History

08 Jul 2026, 17:17

Type Values Removed Values Added
References () https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r - () https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r -

08 Jul 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 16:16

Updated : 2026-07-08 17:17


NVD link : CVE-2026-59880

Mitre link : CVE-2026-59880

CVE.ORG link : CVE-2026-59880


JSON object : View

Products Affected

No product.

CWE
CWE-407

Inefficient Algorithmic Complexity