CVE-2026-59880

Source
https://cve.org/CVERecord?id=CVE-2026-59880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59880
Aliases
  • GHSA-xvcm-6775-5m9r
Downstream
Published
2026-07-08T15:44:23.414Z
Modified
2026-07-15T01:48:54.946871561Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set
Details

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59880.json",
    "cwe_ids": [
        "CWE-407"
    ]
}
References

Affected packages

Git / github.com/immutable-js/immutable-js

Affected ranges

Type
GIT
Repo
https://github.com/immutable-js/immutable-js
Events
Database specific
{
    "cpe": "cpe:2.3:a:immutable-js:immutable:*:*:*:*:*:node.js:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.3.9"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.1.8"
        }
    ]
}

Affected versions

2.*
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.2.0
3.2.1
3.3.0
3.4.0
3.4.1
3.5.0
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
v3.*
v3.8.0
v3.8.1
v4.*
v4.0.0
v4.0.0-rc.1
v4.0.0-rc.10
v4.0.0-rc.11
v4.0.0-rc.12
v4.0.0-rc.13
v4.0.0-rc.14
v4.0.0-rc.15
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.0-rc.4
v4.0.0-rc.6
v4.0.0-rc.7
v4.0.0-rc.8
v4.0.0-rc.9
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v5.*
v5.0.1
v5.0.2
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59880.json"