CVE-2026-59880
immutable-js · immutable-js
A vulnerability in immutable-js allows unauthenticated remote attackers to cause a Denial of Service (DoS) via inefficient algorithmic complexity.
Executive summary
A high-severity algorithmic complexity vulnerability in immutable-js allows unauthenticated attackers to trigger a Denial of Service, severely impacting application availability.
Vulnerability
This flaw, categorized as CWE-407 (Inefficient Algorithmic Complexity), enables an unauthenticated attacker to supply specially crafted input that triggers excessive resource consumption. This results in significant CPU usage, effectively rendering the affected application unresponsive.
Business impact
The vulnerability carries a CVSS score of 8.7, indicating a high impact on system availability. Successful exploitation can lead to prolonged service outages, disrupting critical business operations and degrading user experience. Because the attack vector is network-based and requires no authentication, the threshold for exploitation is extremely low, necessitating immediate remediation to prevent service disruption.
Remediation
Immediate Action: Update the immutable-js dependency to version 4.3.9 or 5.1.8 or later immediately.
Proactive Monitoring: Monitor server CPU utilization and error logs for anomalous spikes or recurring performance degradation patterns that suggest algorithmic complexity attacks.
Compensating Controls: Implement rate limiting and input validation at the application or WAF level to restrict the volume and complexity of data processed by the library.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the ease of exploitability and the potential for total service interruption, this vulnerability poses a significant risk. Development teams should prioritize updating the immutable-js package in their dependency manifests to the specified patched versions to eliminate the underlying algorithmic flaw.