CVE-2025-27209
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-11-04
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| node.js | node.js | 22.17.1 |
| node.js | node.js | 20.19.4 |
| node.js | node.js | 24.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a HashDoS (Hash Denial of Service) issue re-introduced in the V8 engine used by Node.js v24.0.0. It occurs because the way string hashes are computed using rapidhash allows an attacker who can control the input strings to generate many hash collisions. These collisions can be generated even without knowing the hash seed, potentially leading to performance degradation or denial of service.
How can this vulnerability impact me? :
An attacker who can control the strings being hashed can cause many hash collisions, which can degrade performance or cause denial of service in applications using Node.js v24.x. This can lead to application crashes or unresponsiveness due to excessive resource consumption.