CVE-2026-59879
Received Received - Intake

Infinite Loop in Immutable.js List Operations

Vulnerability report for CVE-2026-59879, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
immutable_js immutable_js to 5.1.7 (exc)
immutable_js immutable_js to 4.3.9 (inc)
immutable_js immutable_js to 5.1.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59879 is a high-severity vulnerability in the Immutable.js library affecting versions before 4.3.9 and 5.1.8. The issue arises from improper handling of large indices or sizes in the List data structure, specifically when values are in the range from 2^30 to 2^31. This causes the internal 32-bit trie implementation to overflow due to signed 32-bit arithmetic, leading to different problematic behaviors.

  • For an empty List, the vulnerability triggers an uncatchable infinite CPU loop that requires killing the process to recover.
  • For populated Lists (with 32 or more elements), it causes unbounded memory allocation, leading to heap exhaustion and process termination.
  • The setSize operation silently corrupts data by wrapping large values, causing incorrect size settings.

The root cause is a flaw in the 32-bit trie implementation where bitwise shifts wrap around, causing infinite loops or incorrect calculations. The vulnerability can be triggered by a single unauthenticated request with a maliciously large index.

The issue was fixed by validating inputs upfront, preventing shift wrapping, and throwing a RangeError for invalid sizes, aligning behavior with native JavaScript arrays.

Impact Analysis

This vulnerability primarily impacts the availability of applications using the affected versions of Immutable.js.

  • It can cause an uncatchable infinite loop in empty Lists, leading to CPU exhaustion and requiring manual process termination.
  • For populated Lists, it can cause unbounded memory allocation, resulting in heap exhaustion and process crashes (e.g., SIGABRT or out-of-memory kills).
  • The setSize function can silently corrupt data by wrapping large size values, potentially causing unexpected behavior.

An attacker can exploit this vulnerability remotely without authentication by sending specially crafted requests with large numeric indices, potentially causing denial-of-service (DoS) conditions.

There is no impact on confidentiality or integrity, but the availability impact is significant and can disrupt service.

Detection Guidance

This vulnerability can be detected by monitoring for symptoms such as uncatchable infinite CPU loops or unbounded memory allocation in processes using Immutable.js versions prior to 4.3.9 and 5.1.8. Specifically, look for processes that hang indefinitely or crash due to out-of-memory conditions when handling large indices (in the range 2^30 to 2^31) in List operations.

Since the vulnerability can be triggered by unauthenticated requests containing large numeric indices (e.g., 1073741824), network detection could involve inspecting incoming requests for such suspicious large numeric parameters in URLs or request bodies.

Suggested commands to detect potential exploitation or symptoms include:

  • Use system monitoring tools like `top`, `htop`, or `ps` to identify processes with unusually high CPU usage or memory consumption.
  • Use `strace -p <pid>` or similar to observe if a process is stuck in an infinite loop.
  • Inspect application logs or network traffic for requests containing large numeric indices (>= 1073741824). For example, using `grep` or network capture tools like `tcpdump` or `Wireshark` to filter for suspicious payloads.
  • If the application exposes debugging or diagnostic endpoints, query them to check the version of Immutable.js in use to confirm if it is vulnerable.
Mitigation Strategies

Immediate mitigation steps include upgrading Immutable.js to a fixed version: at least version 4.3.9 or 5.1.8, where the vulnerability has been patched.

If upgrading immediately is not possible, consider the following mitigations:

  • Implement input validation to reject or sanitize indices or sizes in List operations that are equal to or exceed 2^30 (1073741824).
  • Limit heap size or memory usage for processes using Immutable.js to prevent unbounded memory allocation.
  • Run vulnerable operations in restartable worker processes so that if a hang or crash occurs, the worker can be restarted automatically.

These mitigations help prevent denial-of-service conditions caused by infinite loops or memory exhaustion until a full upgrade can be performed.

Compliance Impact

The vulnerability in Immutable.js (CVE-2026-59879) primarily impacts availability by causing denial-of-service conditions such as infinite loops or unbounded memory allocation leading to process crashes.

There is no indication from the provided information that this vulnerability affects confidentiality or integrity of data.

Since compliance standards like GDPR and HIPAA emphasize protecting confidentiality, integrity, and availability of data, this vulnerability mainly poses a risk to availability.

However, the vulnerability does not directly cause data breaches or unauthorized data access, so its impact on compliance with confidentiality and integrity requirements is limited.

Organizations relying on Immutable.js should consider the availability risk and implement mitigations such as input validation and resource limits to maintain compliance with availability requirements in these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart