CVE-2026-21717 PUBLISHED

Assigner: hackerone
Reserved: 04.01.2026 Published: 30.03.2026 Updated: 30.03.2026

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Product Status

Vendor nodejs
Product node
Versions Default: unaffected
  • affected from 20.20.1 to 20.20.1 (incl.)
  • affected from 22.22.1 to 22.22.1 (incl.)
  • affected from 24.14.0 to 24.14.0 (incl.)
  • affected from 25.8.1 to 25.8.1 (incl.)
  • affected from 4.0 to 4.* (excl.)
  • affected from 5.0 to 5.* (excl.)
  • affected from 6.0 to 6.* (excl.)
  • affected from 7.0 to 7.* (excl.)
  • affected from 8.0 to 8.* (excl.)
  • affected from 9.0 to 9.* (excl.)
  • affected from 10.0 to 10.* (excl.)
  • affected from 11.0 to 11.* (excl.)
  • affected from 12.0 to 12.* (excl.)
  • affected from 13.0 to 13.* (excl.)
  • affected from 14.0 to 14.* (excl.)
  • affected from 15.0 to 15.* (excl.)
  • affected from 16.0 to 16.* (excl.)
  • affected from 17.0 to 17.* (excl.)
  • affected from 18.0 to 18.* (excl.)
  • affected from 19.0 to 19.* (excl.)

References