Integer Overflow or Wraparound Affecting immutable package, versions <4.3.9>=5.0.0-beta.1 <5.1.8


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.37% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-IMMUTABLE-17900573
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditMateusz Gierblinski

Introduced: 8 Jul 2026

NewCVE-2026-59879  (opens in a new tab)
CWE-190  (opens in a new tab)

How to fix?

Upgrade immutable to version 4.3.9, 5.1.8 or higher.

Overview

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the setListBounds function in src/List.js when handling an index or size in the range 2 ** 30 to 2 ** 31. An attacker can cause an empty list to enter an uncatchable infinite loop, trigger unbounded memory allocation until process abort, or cause silent value wrapping by supplying crafted input values.

CVSS Base Scores

version 4.0
version 3.1