immutable is vulnerable to Denial of Service (DoS)
87
High Risk
Affected versions of the immutable package mishandle List indices and sizes in the range [2^30, 2^31) in List#set, List#setSize, List#setIn, and List#updateIn (and their functional equivalents). Signed 32-bit bitwise arithmetic in setListBounds makes the trie level-raising loop never terminate: on an empty List the worker hangs in an uncatchable CPU spin, and on a populated List (32 or more elements) it allocates VNodes without bound until the process aborts from heap exhaustion. Because indices accept numeric strings, a single small untrusted request — for example routing ["items", "1073741824"] through the common state = fromJS(body); state.setIn(path, value) pattern — is enough to crash or hang a worker. setSize with comparably large values also silently wraps via | 0 coercion, corrupting the resulting list size without crashing.
You are affected if you are using a version that falls within the vulnerable range and any code path passes untrusted input into a List index or a setIn/updateIn key-path — for example config stores, document editors, Redux reducers, or JSON-Patch endpoints that apply user-supplied paths to Immutable state.
immutable is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 4.3.8 and 5.0.0 - 5.1.7.
Upgrade the immutable library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant