CVE-2026-21717 — Use of Weak Hash in Node
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 92.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 30
Description
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This…
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6
Affected Packages3 packages
🔴Vulnerability Details
4CVEList▶
CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable↗2026-03-30
GHSA▶
GHSA-326m-34v3-gv5p: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable↗2026-03-30
OSV▶
CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable↗2026-03-30
OSV▶
CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable↗2026-03-30
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-21717 nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions↗2026-03-30