CVE-2025-27209 — Inefficient Algorithmic Complexity in Node

CWE-407 — Inefficient Algorithmic Complexity CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 85.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node

Timeline

PublishedJul 18

Latest updateJul 19

Description

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5nodejs/node24.0.0 — 24.4.1

🔴Vulnerability Details

GHSA

GHSA-qr33-gf7m-pq45: The V8 release used in Node↗2025-07-19

▶

CVEList

CVE-2025-27209: The V8 release used in Node↗2025-07-18

▶

📋Vendor Advisories

Red Hat

nodejs: Node.js Rapidhash HashDoS Vulnerability↗2025-07-18

▶

Debian

CVE-2025-27209: nodejs - The V8 release used in Node.js v24.0.0 has changed how string hashes are compute...↗2025

▶