Medium severity5.9NVD Advisory· Published Mar 30, 2026· Updated May 10, 2026

CVE-2026-21717

Description

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

Affected products

Naturalintelligence/Node.jsinferred
Range: 20.x, 22.x, 24.x, 25.x
Package: https://npmjs.com/package/node

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

nodejs.org/en/blog/vulnerability/march-2026-security-releasesnvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000