CVE-2026-21717
Hash Collision Vulnerability in V8 String Hashing Causes Node.js DoS
Publication date: 2026-03-30
Last updated on: 2026-03-30
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| node.js | node.js | From 20.0.0 (inc) to 25.0.0 (inc) |
| nodejs | node.js | From 20.0 (inc) to 25.999 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in V8's string hashing mechanism where integer-like strings are hashed to their numeric value. This makes hash collisions trivially predictable.
An attacker can exploit this by crafting requests that cause many such collisions in V8's internal string table, significantly degrading the performance of the Node.js process.
The most common way to trigger this is through any endpoint that calls JSON.parse() on attacker-controlled input, since JSON parsing automatically internalizes short strings into the affected hash table.
How can this vulnerability impact me? :
This vulnerability can significantly degrade the performance of the Node.js process by causing many predictable hash collisions.
Such degradation can lead to denial of service or slow response times, impacting the availability and reliability of applications using the affected Node.js versions.