PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59880 immutable-js CVE debrief

CVE-2026-59880 is a denial-of-service vulnerability in Immutable.js, a JavaScript library for immutable data structures. Versions before 4.3.9 and 5.1.8 are affected. The vulnerability arises from the way Immutable.Map and Immutable.Set handle keys with the same 32-bit hash in a HashCollisionNode. An attacker who controls keys inserted into a Map can craft colliding keys to degrade insertion and lookup operations, consuming disproportionate CPU. This issue can be mitigated by updating to a fixed version and reviewing user-controlled input to Immutable.Map and Immutable.Set. The vulnerability impacts applications using Immutable.js versions before 4.3.9 and 5.1.8, particularly those with user-controlled input to Immutable.Map and Immutable.Set.

Vendor
immutable-js
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Developers and security teams using Immutable.js versions before 4.3.9 and 5.1.8 should prioritize updating to a fixed version to prevent potential denial-of-service attacks. This includes reviewing and limiting user-controlled input to Immutable.Map and Immutable.Set, and monitoring for unusual CPU consumption patterns in applications using Immutable.js. Security teams should also verify the affected scope and severity with the official advisory.

Technical summary

The vulnerability is caused by the linear scanning of a HashCollisionNode in Immutable.Map and Immutable.Set when keys share the same 32-bit hash. This allows an attacker to craft many colliding keys, degrading insertion and lookup operations to consume disproportionate CPU. The issue is fixed in versions 4.3.9 and 5.1.8. Affected product deployments should be identified and prioritized for updates. The vulnerability impacts applications using Immutable.js versions before 4.3.9 and 5.1.8, particularly those with user-controlled input to Immutable.Map and Immutable.Set.

Defensive priority

High

Recommended defensive actions

  • Update Immutable.js to version 4.3.9 or 5.1.8
  • Review and limit user-controlled input to Immutable.Map and Immutable.Set
  • Monitor for unusual CPU consumption patterns in applications using Immutable.js
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-08T16:16:34.517Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The vulnerability affects Immutable.js versions before 4.3.9 and 5.1.8. Evidence is limited, and defenders should review user-controlled input and monitor CPU consumption.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T16:16:34.517Z and has not been modified since then.