Source: node-immutable
Version: 4.3.8-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for node-immutable.

CVE-2026-59879[0]:
| Immutable.js provides many Persistent Immutable data structures.
| Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn,
| List#updateIn, and the functional set, setIn, and updateIn mishandle
| an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in
| src/List.js, causing an empty List to enter an uncatchable infinite
| loop, a populated List to allocate without bound until process
| abort, or setSize to silently wrap large values. This issue is fixed
| in versions 4.3.9 and 5.1.8.


CVE-2026-59880[1]:
| Immutable.js provides many Persistent Immutable data structures.
| Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys
| that share the same 32-bit hash in a HashCollisionNode collision
| bucket that is scanned linearly, allowing an attacker who controls
| keys inserted into a Map, such as through Immutable.Map(obj),
| Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to
| craft many colliding keys and degrade insertion and lookup to
| consume disproportionate CPU. This issue is fixed in versions 4.3.9
| and 5.1.8.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-59879
    https://www.cve.org/CVERecord?id=CVE-2026-59879
[1] https://security-tracker.debian.org/tracker/CVE-2026-59880
    https://www.cve.org/CVERecord?id=CVE-2026-59880

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to