CVE-2026-21717 - Vulnerability Details

- nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions

Description

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Published: 2026-03-30

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

V8's string hashing mechanism treats integer-like strings as their numeric values, creating easily predictable hash collisions. An attacker can craft many such strings—most commonly by sending JSON that is parsed by JSON.parse—to flood the internal string hash table, severely degrading Node.js process performance and potentially causing a denial of service. The flaw is a hash collision vulnerability (CWE-328) that leads to CPU exhaustion rather than code execution.

Affected Systems

The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x distributed by nodejs:node.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS is below 1%, suggesting the likelihood of exploitation is currently low, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, requiring the attacker to send crafted input to an endpoint that processes JSON; most JSON parsing endpoints are exposed over the network, making the condition reasonably achievable if such endpoints exist on the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nodejs

node

unaffected

Version	Status	Constraints
`20.20.1`	affected	≤ 20.20.1
`22.22.1`	affected	≤ 22.22.1
`24.14.0`	affected	≤ 24.14.0
`25.8.1`	affected	≤ 25.8.1
`4.0`	affected	< 4.*
`5.0`	affected	< 5.*
`6.0`	affected	< 6.*
`7.0`	affected	< 7.*
`8.0`	affected	< 8.*
`9.0`	affected	< 9.*
`10.0`	affected	< 10.*
`11.0`	affected	< 11.*
`12.0`	affected	< 12.*
`13.0`	affected	< 13.*
`14.0`	affected	< 14.*
`15.0`	affected	< 15.*
`16.0`	affected	< 16.*
`17.0`	affected	< 17.*
`18.0`	affected	< 18.*
`19.0`	affected	< 19.*

No data.

Vendor Product Confidence Versions

Nodejs

92%

Version	Status	Scheme	Platform
`20.20.1`	affected	semver	—
`22.22.1`	affected	semver	—
`24.14.0`	affected	semver	—
`25.8.1`	affected	semver	—
`[4.0.0,5.0.0)`	affected	semver	—
`[5.0.0,6.0.0)`	affected	semver	—
`[6.0.0,7.0.0)`	affected	semver	—
`[7.0.0,8.0.0)`	affected	semver	—
`[8.0.0,9.0.0)`	affected	semver	—
`[9.0.0,10.0.0)`	affected	semver	—
`[10.0.0,11.0.0)`	affected	semver	—
`[11.0.0,12.0.0)`	affected	semver	—
`[12.0.0,13.0.0)`	affected	semver	—
`[13.0.0,14.0.0)`	affected	semver	—
`[14.0.0,15.0.0)`	affected	semver	—
`[15.0.0,16.0.0)`	affected	semver	—
`[16.0.0,17.0.0)`	affected	semver	—
`[17.0.0,18.0.0)`	affected	semver	—
`[18.0.0,19.0.0)`	affected	semver	—
`[19.0.0,20.0.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Node.js to the latest patched release for versions 20.x, 22.x, 24.x, or 25.x.
Verify the installed Node.js version after upgrade to confirm the patch is applied.

Generated by OpenCVE AI on April 2, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6183-1	nodejs security update

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
https://nvd.nist.gov/vuln/detail/CVE-2026-21717
https://www.cve.org/CVERecord?id=CVE-2026-21717

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-770

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title		nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions
First Time appeared		Nodejs Nodejs nodejs
Weaknesses		CWE-328 CWE-770
Vendors & Products		Nodejs Nodejs nodejs
References		https://nvd.nist.gov/vuln/detail/CVE-2026-21717 https://www.cve.org/CVERecord?id=CVE-2026-21717
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 30 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
References		https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Metrics		cvssV3_0 `{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Nodejs Nodejs

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-03-30T19:07:28.415Z

Updated: 2026-03-30T19:46:10.357Z

Reserved: 2026-01-04T15:00:06.575Z

Link: CVE-2026-21717

Vulnrichment

Updated: 2026-03-30T19:46:07.107Z

NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:20.010

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21717

Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21717 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T09:38:07Z

Weaknesses

CWE-328

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object