PatchSiren cyber security CVE debrief
CVE-2026-59879 immutable-js CVE debrief
CVE-2026-59879 is a denial of service (DoS) vulnerability in Immutable.js, a JavaScript library for immutable data structures. The vulnerability affects versions prior to 4.3.9 and 5.1.8. Specifically, the List#set, List#setSize, List#setIn, List#updateIn, and functional set, setIn, and updateIn methods mishandle indices or sizes in the range 2 ** 30 to 2 ** 31 in the setListBounds function in src/List.js. This can cause an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values.
- Vendor
- immutable-js
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using Immutable.js versions prior to 4.3.9 or 5.1.8 in their applications should be aware of this vulnerability. This includes anyone who uses Immutable.js for building robust and secure data structures in their JavaScript applications.
Technical summary
The vulnerability arises from improper handling of large indices in Immutable.js List methods. Specifically, the setListBounds function in src/List.js fails to correctly manage indices or sizes between 2 ** 30 and 2 ** 31. This can lead to three primary issues: 1) An empty List can enter an uncatchable infinite loop when attempting to set or update elements, 2) A populated List can allocate memory without bounds until the process aborts, and 3) The setSize method can silently wrap large values, potentially leading to unexpected behavior or security issues.
Defensive priority
High
Recommended defensive actions
- Update Immutable.js to version 4.3.9 or 5.1.8, or later.
- Review and test applications that use Immutable.js for potential issues with large list indices.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-08T17:17:26.370Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. The vulnerability was fixed in versions 4.3.9 and 5.1.8 of Immutable.js.
Official resources
-
CVE-2026-59879 CVE record
CVE.org
-
CVE-2026-59879 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:26.370Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.