CVE-2026-21717
Hash Collision Vulnerability in V8 String Hashing Causes Node.js DoS
Publication date: 2026-03-30
Last updated on: 2026-05-10
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| node.js | node.js | From 20.0.0 (inc) to 25.0.0 (inc) |
| nodejs | node.js | From 20.0 (inc) to 25.999 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in V8's string hashing mechanism where integer-like strings are hashed to their numeric value. This makes hash collisions trivially predictable.
An attacker can exploit this by crafting requests that cause many such collisions in V8's internal string table, significantly degrading the performance of the Node.js process.
The most common way to trigger this is through any endpoint that calls JSON.parse() on attacker-controlled input, since JSON parsing automatically internalizes short strings into the affected hash table.
How can this vulnerability impact me? :
This vulnerability can significantly degrade the performance of the Node.js process by causing many predictable hash collisions.
Such degradation can lead to denial of service or slow response times, impacting the availability and reliability of applications using the affected Node.js versions.