{“lastseen”:””,”description”:”A flaw in V8’s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8’s internal string table, an attacker can significantly degrade performance of the Node.js process.\\r\\n\\r\\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\\r\\n\\r\\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.”,”published”:”2026-03-30T19:07:28.415Z”,”modified”:”2026-03-30T19:46:10.357Z”,”type”:”cve”,”title”:”CVE-2026-21717″,”source”:”hackerone”,”references”:”https:\/\/nodejs.org\/en\/blog\/vulnerability\/march-2026-security-releases”,”id”:”CVE-2026-21717″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”nodejs node 20.20.1\\nnodejs node 22.22.1\\nnodejs node 24.14.0\\nnodejs node 25.8.1\\nnodejs node 4.0\\nnodejs node 5.0\\nnodejs node 6.0\\nnodejs node 7.0\\nnodejs node 8.0\\nnodejs node 9.0\\nnodejs node 10.0\\nnodejs node 11.0\\nnodejs node 12.0\\nnodejs node 13.0\\nnodejs node 14.0\\nnodejs node 15.0\\nnodejs node 16.0\\nnodejs node 17.0\\nnodejs node 18.0\\nnodejs node 19.0″,”sourceHref”:””,”cvss”:{“score”:5.9,”severity”:”MEDIUM”,”vector”:”CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”node”,”version”:”20.20.1″,”vendor”:”nodejs”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”A flaw in V8’s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,97,12,21,13,7,11,5],"class_list":["post-44716","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-59","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n