SB2026062999 - Multiple vulnerabilities in Immutable.js



SB2026062999 - Multiple vulnerabilities in Immutable.js

Published: June 29, 2026

Security Bulletin ID SB2026062999
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Integer overflow (CVE-ID: N/A)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in List#set, List#setIn, List#updateIn, List#setSize, and the related functional set, setIn, and updateIn operations when processing a crafted index, size, or key-path segment in the range [2 ** 30, 2 ** 31). A remote attacker can send a specially crafted request to cause a denial of service.

A single small unauthenticated request can trigger an uncatchable infinite loop on an empty List or unbounded allocation leading to process abort on a populated List.


2) Integer overflow (CVE-ID: N/A)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt application state.

The vulnerability exists due to integer overflow in List#setSize when coercing large finite values with signed 32-bit arithmetic. A remote attacker can supply a specially crafted size value to corrupt application state.

The issue silently truncates or wraps large sizes, such as clearing the List or producing an incorrect smaller size instead of raising an error.


3) Inefficient Algorithmic Complexity (CVE-ID: N/A)

CWE-ID: CWE-407 - Inefficient Algorithmic Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in Immutable.Map and Immutable.Set collision bucket handling when processing attacker-controlled object keys. A remote attacker can supply many crafted colliding keys to cause a denial of service.

Applications are affected when untrusted input is used as keys in Immutable structures rather than only as values under fixed keys.


Remediation

Install update from vendor's website.