immutable is vulnerable to Denial of Service (DoS)
87
High Risk
Affected versions of the immutable package store Map and Set keys that share the same 32-bit hash in a linearly scanned collision bucket. The string hash is public and deterministic (JVM-style polynomial: (31 * hashed + charCode) | 0), so an attacker who controls inserted keys can precompute many distinct strings that all collide — for example, 40 characters yield more than one million colliding keys. Each insert or lookup then degrades from amortized O(1) to O(n), and building or reading the whole structure becomes O(n²). A small attacker-shaped payload can therefore consume disproportionate CPU; on a single-threaded runtime such as Node.js this stalls the event loop and denies service. Common patterns such as Immutable.Map(req.body), Immutable.fromJS(req.body), or state.merge(userObject) are affected when object keys come from untrusted input.
You are affected if you are using a version that falls within the vulnerable range.
immutable is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 4.3.8 and 5.0.0 - 5.1.7.
Upgrade the immutable library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant