Intel

AIKIDO-2026-281048

immutable is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-v56q-mh7h-f735 Published Jul 1, 2026

87

High Risk

This Affects:

JSimmutable
0.0.1 - 4.3.8
Fixed in 4.3.9
5.0.0 - 5.1.7
Fixed in 5.1.8
Are you affected? Scan for Free

TL;DR

Affected versions of the immutable package mishandle List indices and sizes in the range [2^30, 2^31) in List#set, List#setSize, List#setIn, and List#updateIn (and their functional equivalents). Signed 32-bit bitwise arithmetic in setListBounds makes the trie level-raising loop never terminate: on an empty List the worker hangs in an uncatchable CPU spin, and on a populated List (32 or more elements) it allocates VNodes without bound until the process aborts from heap exhaustion. Because indices accept numeric strings, a single small untrusted request — for example routing ["items", "1073741824"] through the common state = fromJS(body); state.setIn(path, value) pattern — is enough to crash or hang a worker. setSize with comparably large values also silently wraps via | 0 coercion, corrupting the resulting list size without crashing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and any code path passes untrusted input into a List index or a setIn/updateIn key-path — for example config stores, document editors, Redux reducers, or JSON-Patch endpoints that apply user-supplied paths to Immutable state.

Background info

immutable is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 4.3.8 and 5.0.0 - 5.1.7.

How to fix this

Upgrade the immutable library to the patch version.