cbcvebase.
CVE-2026-21717
published 2026-03-30

CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By…

medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs< nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 18.0 < 18.*18.*
nodejsnode>= 19.0 < 19.*19.*
nodejsnode20.20.1 – 20.20.1
nodejsnode22.22.1 – 22.22.1
nodejsnode24.14.0 – 24.14.0
nodejsnode25.8.1 – 25.8.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 24.14.1-r024.14.1-r0
nodejsnodejs>= 0 < 20.19.2+dfsg-1+deb13u220.19.2+dfsg-1+deb13u2

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM