Integer overflow in Immutable.js - #VU135793
Published: June 29, 2026
Immutable.js
Detailed vulnerability description
The vulnerability allows a remote attacker to corrupt application state.
The vulnerability exists due to integer overflow in List#setSize when coercing large finite values with signed 32-bit arithmetic. A remote attacker can supply a specially crafted size value to corrupt application state.
The issue silently truncates or wraps large sizes, such as clearing the List or producing an incorrect smaller size instead of raising an error.