CVE-2026-59879 in Immutable.js
Summary
by MITRE • 07/08/2026
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in Immutable.js affects critical persistent immutable data structures that are widely used in modern web applications for state management and data handling. This flaw exists in versions prior to 4.3.9 and 5.1.8 where specific list manipulation methods fail to properly validate index or size parameters within the range of 2^30 to 2^31. The root cause lies in the setListBounds function located in src/List.js which does not adequately handle boundary conditions for large integer values, creating a fundamental security and stability issue within the library's core functionality.
The technical implementation flaw manifests through multiple affected methods including List#set, List#setSize, List#setIn, List#updateIn, and their corresponding functional counterparts set, setIn, and updateIn. When these methods encounter indices or sizes in the problematic range, they trigger different failure modes depending on the list's state. Empty lists become trapped in uncatchable infinite loops that can only be resolved through process termination, while populated lists experience unbounded memory allocation until system resources are exhausted and the process aborts. Additionally, the setSize method silently wraps large values without proper validation, potentially leading to unexpected behavior that is difficult to detect during runtime.
This vulnerability directly impacts application stability and security posture by creating potential denial of service conditions that can be exploited through crafted input parameters. The infinite loop scenario represents a classic resource exhaustion attack vector where an attacker could trigger system instability by providing malicious index values, while the unbounded memory allocation presents another attack surface that could lead to system crashes or performance degradation. The vulnerability is particularly concerning in applications that process user-provided data or accept external inputs that may be passed directly to these list manipulation methods.
The fix implemented in versions 4.3.9 and 5.1.8 addresses the core validation issue by properly handling boundary conditions for large integer values within the affected range. This remediation aligns with security best practices for input validation and boundary checking, preventing the problematic execution paths that previously led to infinite loops or unbounded resource consumption. Organizations should prioritize updating to these fixed versions to eliminate the risk of exploitation, particularly in production environments where immutable data structures are heavily utilized.
From a cybersecurity perspective, this vulnerability maps to CWE-129 Input Validation and the ATT&CK technique T1499.004 for Resource Exhaustion attacks. The issue demonstrates how seemingly minor boundary condition handling can create significant security implications in widely-used libraries, highlighting the importance of comprehensive testing for edge cases in critical software components. The vulnerability also emphasizes the need for proper integer overflow protection and validation in functional programming libraries that handle large data structures, as these environments often lack the traditional memory safety mechanisms found in lower-level languages.
Organizations using Immutable.js should conduct immediate vulnerability assessments to identify applications that may be affected by this issue, particularly those processing external data through list manipulation methods. The remediation process requires careful testing of updated library versions to ensure no regressions in existing functionality while verifying that the boundary condition fixes properly address the reported issues. Additionally, security teams should monitor for similar patterns in other libraries that handle large integer values and implement proactive measures to prevent analogous vulnerabilities from emerging in their software ecosystems.