CVE-2026-59879

immutable-js · immutable-js

The immutable-js library is vulnerable to uncontrolled resource consumption and infinite loops, potentially leading to denial-of-service conditions.

Executive summary

A high-severity resource consumption vulnerability in immutable-js can be exploited by remote attackers to cause system instability or denial-of-service.

Vulnerability

This vulnerability involves integer overflows and logic errors resulting in infinite loops (CWE-835) or uncontrolled resource consumption (CWE-400). It is exploitable by unauthenticated remote attackers through crafted input that triggers excessive resource usage.

Business impact

Successful exploitation can lead to a denial-of-service (DoS) state, rendering applications dependent on the library unresponsive. Given the CVSS score of 8.7 and the "automatable" classification, this poses a substantial risk to service availability and system stability.

Remediation

Immediate Action: Update the immutable-js dependency to version 5.1.8 or 4.3.9, depending on your current release branch.

Proactive Monitoring: Monitor application performance metrics and container resource utilization (CPU/Memory) for spikes indicative of infinite loop exploitation.

Compensating Controls: Utilize input validation and rate-limiting at the application layer to prevent the submission of malicious payloads designed to trigger these loops.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Development teams should prioritize updating this library to prevent potential availability issues. Given that this vulnerability is automatable, immediate patching is recommended to mitigate the risk of disruption to production services.