Integer overflow in Immutable.js - #VU135793

 

Integer overflow in Immutable.js - #VU135793

Published: June 29, 2026


Vulnerability identifier: #VU135793
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-190
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Immutable.js
Affected software:
Immutable.js

Detailed vulnerability description

The vulnerability allows a remote attacker to corrupt application state.

The vulnerability exists due to integer overflow in List#setSize when coercing large finite values with signed 32-bit arithmetic. A remote attacker can supply a specially crafted size value to corrupt application state.

The issue silently truncates or wraps large sizes, such as clearing the List or producing an incorrect smaller size instead of raising an error.


Remediation

Install security update from vendor's website.

Sources