Skip to content
Threat Feed
medium advisory

CVE-2026-21717 Node.js V8 Hash Collision Vulnerability

CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.

CVE-2026-21717 is a vulnerability affecting Node.js versions 20.x, 22.x, 24.x, and 25.x. The flaw resides in the V8 JavaScript engine’s string hashing mechanism. When Node.js parses JSON, V8 internalizes short strings into a hash table. This vulnerability occurs because the hashing algorithm treats integer-like strings specially, hashing them to their numeric value. An attacker can exploit this by crafting JSON input containing a large number of distinct strings that happen to hash to the same value due to this predictable hashing behavior. This causes excessive hash collisions within V8’s internal string table, resulting in a significant performance degradation of the Node.js process, potentially leading to denial of service.

Attack Chain

  1. The attacker identifies a Node.js application that uses JSON.parse() to process user-supplied input.
  2. The attacker crafts a JSON payload containing a large number of strings.
  3. The crafted strings are chosen to be integer-like strings (e.g., “100”, “200”, “300”).
  4. When the Node.js application calls JSON.parse() on the malicious payload, the V8 engine attempts to internalize these strings into its string table.
  5. Due to the flawed hashing algorithm, these strings produce a large number of hash collisions.
  6. The excessive hash collisions cause the V8 engine to spend excessive time resolving these collisions.
  7. This increased processing time degrades the performance of the Node.js process, increasing CPU usage and response times.
  8. The Node.js application becomes unresponsive, effectively causing a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-21717 leads to a denial-of-service condition, potentially impacting all users of the affected Node.js application. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, making a wide range of applications potentially vulnerable. There is no information about number of victims or sectors targeted from the provided source.

Recommendation

  • Apply available patches or upgrade to a fixed version of Node.js to remediate CVE-2026-21717.
  • Deploy the Sigma rule Detect High Number of JSON Parse Operations to identify potential exploitation attempts by monitoring the number of JSON.parse() calls in a given timeframe.
  • Rate limit requests to endpoints that handle JSON data to mitigate the impact of potential hash collision attacks.

Detection coverage 2

Detect High Number of JSON Parse Operations

medium

Detects a high number of JSON.parse operations within a short timeframe, potentially indicating a hash collision denial-of-service attempt.

sigma tactics: defense_evasion, resource_development techniques: T1059.007 sources: process_creation, linux

Detect Node.js with JSON Parsing Integer-Like Strings

low

Detects Node.js processes invoking JSON parsing functions with large numbers of numerical strings, characteristic of CVE-2026-21717 exploitation.

sigma tactics: defense_evasion, resource_development techniques: T1059.007 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →