Integer overflow in Immutable.js - #VU135792
Published: June 29, 2026
Immutable.js
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in List#set, List#setIn, List#updateIn, List#setSize, and the related functional set, setIn, and updateIn operations when processing a crafted index, size, or key-path segment in the range [2 ** 30, 2 ** 31). A remote attacker can send a specially crafted request to cause a denial of service.
A single small unauthenticated request can trigger an uncatchable infinite loop on an empty List or unbounded allocation leading to process abort on a populated List.