PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59879 immutable-js CVE debrief

CVE-2026-59879 is a denial of service (DoS) vulnerability in Immutable.js, a JavaScript library for immutable data structures. The vulnerability affects versions prior to 4.3.9 and 5.1.8. Specifically, the List#set, List#setSize, List#setIn, List#updateIn, and functional set, setIn, and updateIn methods mishandle indices or sizes in the range 2 ** 30 to 2 ** 31 in the setListBounds function in src/List.js. This can cause an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values.

Vendor
immutable-js
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Developers and administrators using Immutable.js versions prior to 4.3.9 or 5.1.8 in their applications should be aware of this vulnerability. This includes anyone who uses Immutable.js for building robust and secure data structures in their JavaScript applications.

Technical summary

The vulnerability arises from improper handling of large indices in Immutable.js List methods. Specifically, the setListBounds function in src/List.js fails to correctly manage indices or sizes between 2 ** 30 and 2 ** 31. This can lead to three primary issues: 1) An empty List can enter an uncatchable infinite loop when attempting to set or update elements, 2) A populated List can allocate memory without bounds until the process aborts, and 3) The setSize method can silently wrap large values, potentially leading to unexpected behavior or security issues.

Defensive priority

High

Recommended defensive actions

  • Update Immutable.js to version 4.3.9 or 5.1.8, or later.
  • Review and test applications that use Immutable.js for potential issues with large list indices.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-08T17:17:26.370Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. The vulnerability was fixed in versions 4.3.9 and 5.1.8 of Immutable.js.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:26.370Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.