{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21717", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.575Z", "datePublished": "2026-03-30T19:07:28.415Z", "dateUpdated": "2026-05-10T13:16:01.620Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.415Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-328", "lang": "en", "description": "CWE-328 Use of Weak Hash"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:46:02.350544Z", "id": "CVE-2026-21717", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-10T13:16:01.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:46:02.350544Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-328", "description": "CWE-328 Use of Weak Hash"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:46:07.107Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}, {"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.*", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21717", "state": "PUBLISHED", "dateUpdated": "2026-05-10T13:16:01.620Z", "dateReserved": "2026-01-04T15:00:06.575Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.415Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}, {"lang": "es", "value": "Un fallo en el mecanismo de hash de cadenas de V8 hace que las cadenas similares a enteros se les aplique hash a su valor num\u00e9rico, haciendo que las colisiones de hash sean trivialmente predecibles. Al elaborar una solicitud que causa muchas de estas colisiones en la tabla interna de cadenas de V8, un atacante puede degradar significativamente el rendimiento del proceso de Node.js.\n\nEl desencadenante m\u00e1s com\u00fan es cualquier punto final que llama a `JSON.parse()` en la entrada controlada por el atacante, ya que el an\u00e1lisis JSON internaliza autom\u00e1ticamente cadenas cortas en la tabla hash afectada.\n\nEsta vulnerabilidad afecta a 20.x, 22.x, 24.x y 25.x."}], "id": "CVE-2026-21717", "lastModified": "2026-05-10T14:16:47.620", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:20.010", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions", "id": "2453162", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-328", "details": ["A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21717", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21717\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21717\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "20.20.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "22.22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "24.14.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "25.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,5.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,7.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,10.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,11.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,12.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,13.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,14.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,15.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,16.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,17.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,18.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.0.0,19.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,20.0.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-04-02T21:44:32.949088+00:00", "value": {"mitigation_remediation": ["Update Node.js to the latest patched release for versions 20.x, 22.x, 24.x, or 25.x.", "Verify the installed Node.js version after upgrade to confirm the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x distributed by nodejs:node.", "description_and_impact": "V8's string hashing mechanism treats integer-like strings as their numeric values, creating easily predictable hash collisions. An attacker can craft many such strings\u2014most commonly by sending JSON that is parsed by JSON.parse\u2014to flood the internal string hash table, severely degrading Node.js process performance and potentially causing a denial of service. The flaw is a hash collision vulnerability (CWE-328) that leads to CPU exhaustion rather than code execution.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity. EPSS is below 1%, suggesting the likelihood of exploitation is currently low, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, requiring the attacker to send crafted input to an endpoint that processes JSON; most JSON parsing endpoints are exposed over the network, making the condition reasonably achievable if such endpoints exist on the system."}}}}, "created": "2026-03-31T20:00:09.755843+00:00", "updated": "2026-04-03T09:38:07.831777+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}