CVE-2025-27209
published 2025-07-18CVE-2025-27209: The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability…
high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nodejs | — | — |
| nodejs | node | >= 24.0.0 < 24.4.1 | 24.4.1 |