Description
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Published: 2026-03-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via predictable hash collision
Action: Patch
AI Analysis

Impact

V8’s string hashing routine treats integer‑like strings as their numeric value, which forces many distinct strings to map to the same hash bucket. An attacker who supplies specially crafted JSON containing many such strings can cause a large number of hash collisions in the internal string table. The resulting overhead drains CPU and memory, slowing or halting the Node.js process and effectively denying service to legitimate users.

Affected Systems

Versions 20.x, 22.x, 24.x, and 25.x of the Node.js runtime are affected. Any application running those releases that parses JSON from external input – for example via JSON.parse on an HTTP request body – is vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. No exploitation campaigns have been reported and the directive is not listed in CISA’s Known Exploited Vulnerabilities catalog. EPSS information is not available. An attacker needs only to send crafted JSON to any endpoint that performs JSON.parse; elevated privileges are not required. Successful exploitation manifests as degraded performance, increased latency, or complete unavailability of the Node.js service, without leaking data or escalating privileges.

Generated by OpenCVE AI on March 30, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to a version that includes the fix for the V8 hash collision, as described in the March 2026 security release announcement.
  • If an upgrade is not immediately possible, apply rate limiting to incoming requests that trigger JSON.parse or offload JSON parsing to isolated worker processes to cap resource consumption.
  • Monitor CPU usage, garbage‑collection pauses, and request latency to detect anomalous performance degradation that may indicate an ongoing attack.

Generated by OpenCVE AI on March 30, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-328
CWE-770
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
References
Metrics cvssV3_0

{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-30T19:46:10.357Z

Reserved: 2026-01-04T15:00:06.575Z

Link: CVE-2026-21717

cve-icon Vulnrichment

Updated: 2026-03-30T19:46:07.107Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:20.010

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21717

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21717 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:25Z

Weaknesses