{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21717", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.575Z", "datePublished": "2026-03-30T19:07:28.415Z", "dateUpdated": "2026-03-30T19:46:10.357Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.415Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:46:02.350544Z", "id": "CVE-2026-21717", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:46:10.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:46:02.350544Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:46:07.107Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}, {"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.*", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21717", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:46:10.357Z", "dateReserved": "2026-01-04T15:00:06.575Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.415Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}], "id": "CVE-2026-21717", "lastModified": "2026-03-30T20:16:20.010", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:20.010", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions", "id": "2453162", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-328", "details": ["A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.", "A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21717", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21717\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21717\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "20.20.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "22.22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "24.14.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "25.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,5.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,7.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,10.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,11.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,12.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,13.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,14.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,15.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,16.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,17.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,18.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.0.0,19.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,20.0.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-03-30T21:20:18.687124+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to a version that includes the fix for the V8 hash collision, as described in the March\u00a02026 security release announcement.", "If an upgrade is not immediately possible, apply rate limiting to incoming requests that trigger JSON.parse or offload JSON parsing to isolated worker processes to cap resource consumption.", "Monitor CPU usage, garbage\u2011collection pauses, and request latency to detect anomalous performance degradation that may indicate an ongoing attack."], "summary": {"action": "Patch", "impact": "Denial of Service via predictable hash collision"}, "threat_synthesis": {"affected_systems": "Versions 20.x, 22.x, 24.x, and 25.x of the Node.js runtime are affected. Any application running those releases that parses JSON from external input \u2013 for example via JSON.parse on an HTTP request body \u2013 is vulnerable.", "description_and_impact": "V8\u2019s string hashing routine treats integer\u2011like strings as their numeric value, which forces many distinct strings to map to the same hash bucket. An attacker who supplies specially crafted JSON containing many such strings can cause a large number of hash collisions in the internal string table. The resulting overhead drains CPU and memory, slowing or halting the Node.js process and effectively denying service to legitimate users.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity. No exploitation campaigns have been reported and the directive is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. EPSS information is not available. An attacker needs only to send crafted JSON to any endpoint that performs JSON.parse; elevated privileges are not required. Successful exploitation manifests as degraded performance, increased latency, or complete unavailability of the Node.js service, without leaking data or escalating privileges."}}}}, "created": "2026-03-31T20:00:09.755843+00:00", "title": "V8 Hash Collision Allows Denial of Service through JSON.parse", "updated": "2026-03-31T20:40:25.974957+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"], "weaknesses": ["CWE-770"]}