Inefficient Algorithmic Complexity in Immutable.js - #VU135794

 

Inefficient Algorithmic Complexity in Immutable.js - #VU135794

Published: June 29, 2026


Vulnerability identifier: #VU135794
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-407
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Immutable.js
Affected software:
Immutable.js

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in Immutable.Map and Immutable.Set collision bucket handling when processing attacker-controlled object keys. A remote attacker can supply many crafted colliding keys to cause a denial of service.

Applications are affected when untrusted input is used as keys in Immutable structures rather than only as values under fixed keys.


Remediation

Install security update from vendor's website.

Sources