Intel

AIKIDO-2026-428611

immutable is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-xvcm-6775-5m9r Published Jul 1, 2026

87

High Risk

This Affects:

JSimmutable
0.0.1 - 4.3.8
Fixed in 4.3.9
5.0.0 - 5.1.7
Fixed in 5.1.8
Are you affected? Scan for Free

TL;DR

Affected versions of the immutable package store Map and Set keys that share the same 32-bit hash in a linearly scanned collision bucket. The string hash is public and deterministic (JVM-style polynomial: (31 * hashed + charCode) | 0), so an attacker who controls inserted keys can precompute many distinct strings that all collide — for example, 40 characters yield more than one million colliding keys. Each insert or lookup then degrades from amortized O(1) to O(n), and building or reading the whole structure becomes O(n²). A small attacker-shaped payload can therefore consume disproportionate CPU; on a single-threaded runtime such as Node.js this stalls the event loop and denies service. Common patterns such as Immutable.Map(req.body), Immutable.fromJS(req.body), or state.merge(userObject) are affected when object keys come from untrusted input.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

immutable is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 4.3.8 and 5.0.0 - 5.1.7.

How to fix this

Upgrade the immutable library to the patch version.