PatchSiren cyber security CVE debrief
CVE-2026-59880 immutable-js CVE debrief
CVE-2026-59880 is a denial-of-service vulnerability in Immutable.js, a JavaScript library for immutable data structures. Versions before 4.3.9 and 5.1.8 are affected. The vulnerability arises from the way Immutable.Map and Immutable.Set handle keys with the same 32-bit hash in a HashCollisionNode. An attacker who controls keys inserted into a Map can craft colliding keys to degrade insertion and lookup operations, consuming disproportionate CPU. This issue can be mitigated by updating to a fixed version and reviewing user-controlled input to Immutable.Map and Immutable.Set. The vulnerability impacts applications using Immutable.js versions before 4.3.9 and 5.1.8, particularly those with user-controlled input to Immutable.Map and Immutable.Set.
- Vendor
- immutable-js
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and security teams using Immutable.js versions before 4.3.9 and 5.1.8 should prioritize updating to a fixed version to prevent potential denial-of-service attacks. This includes reviewing and limiting user-controlled input to Immutable.Map and Immutable.Set, and monitoring for unusual CPU consumption patterns in applications using Immutable.js. Security teams should also verify the affected scope and severity with the official advisory.
Technical summary
The vulnerability is caused by the linear scanning of a HashCollisionNode in Immutable.Map and Immutable.Set when keys share the same 32-bit hash. This allows an attacker to craft many colliding keys, degrading insertion and lookup operations to consume disproportionate CPU. The issue is fixed in versions 4.3.9 and 5.1.8. Affected product deployments should be identified and prioritized for updates. The vulnerability impacts applications using Immutable.js versions before 4.3.9 and 5.1.8, particularly those with user-controlled input to Immutable.Map and Immutable.Set.
Defensive priority
High
Recommended defensive actions
- Update Immutable.js to version 4.3.9 or 5.1.8
- Review and limit user-controlled input to Immutable.Map and Immutable.Set
- Monitor for unusual CPU consumption patterns in applications using Immutable.js
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-08T16:16:34.517Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The vulnerability affects Immutable.js versions before 4.3.9 and 5.1.8. Evidence is limited, and defenders should review user-controlled input and monitor CPU consumption.
Official resources
-
CVE-2026-59880 CVE record
CVE.org
-
CVE-2026-59880 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T16:16:34.517Z and has not been modified since then.