CVE-2026-21717
Awaiting Analysis
Awaiting Analysis - Queue
Hash Collision Vulnerability in V8 String Hashing Causes Node.js DoS
Publication date: 2026-03-30
Last updated on: 2026-05-10
Assigner: HackerOne
Description
Description
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| node.js | node.js | From 20.0.0 (inc) to 25.0.0 (inc) |
| nodejs | node.js | From 20.0 (inc) to 25.999 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
