CVE-2026-21717

Summary

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

Affected Software

VendorProductVersion RangeStatus
nodejsnode20.20.1 <= 20.20.1affected
nodejsnode22.22.1 <= 22.22.1affected
nodejsnode24.14.0 <= 24.14.0affected
nodejsnode25.8.1 <= 25.8.1affected
nodejsnode4.0 < 4.*affected
nodejsnode5.0 < 5.*affected
nodejsnode6.0 < 6.*affected
nodejsnode7.0 < 7.*affected
nodejsnode8.0 < 8.*affected
nodejsnode9.0 < 9.*affected
nodejsnode10.0 < 10.*affected
nodejsnode11.0 < 11.*affected
nodejsnode12.0 < 12.*affected
nodejsnode13.0 < 13.*affected
nodejsnode14.0 < 14.*affected
nodejsnode15.0 < 15.*affected
nodejsnode16.0 < 16.*affected
nodejsnode17.0 < 17.*affected
nodejsnode18.0 < 18.*affected
nodejsnode19.0 < 19.*affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References