Source: node-immutable Version: 4.3.8-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for node-immutable. CVE-2026-59879[0]: | Immutable.js provides many Persistent Immutable data structures. | Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, | List#updateIn, and the functional set, setIn, and updateIn mishandle | an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in | src/List.js, causing an empty List to enter an uncatchable infinite | loop, a populated List to allocate without bound until process | abort, or setSize to silently wrap large values. This issue is fixed | in versions 4.3.9 and 5.1.8. CVE-2026-59880[1]: | Immutable.js provides many Persistent Immutable data structures. | Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys | that share the same 32-bit hash in a HashCollisionNode collision | bucket that is scanned linearly, allowing an attacker who controls | keys inserted into a Map, such as through Immutable.Map(obj), | Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to | craft many colliding keys and degrade insertion and lookup to | consume disproportionate CPU. This issue is fixed in versions 4.3.9 | and 5.1.8. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-59879 https://www.cve.org/CVERecord?id=CVE-2026-59879 [1] https://security-tracker.debian.org/tracker/CVE-2026-59880 https://www.cve.org/CVERecord?id=CVE-2026-59880 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

