{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/node.js-22.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-21717"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js 20.x","Node.js 22.x","Node.js 24.x","Node.js 25.x"],"_cs_severities":["medium"],"_cs_tags":["dos","hash-collision","node.js"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-21717 is a vulnerability affecting Node.js versions 20.x, 22.x, 24.x, and 25.x. The flaw resides in the V8 JavaScript engine\u0026rsquo;s string hashing mechanism. When Node.js parses JSON, V8 internalizes short strings into a hash table. This vulnerability occurs because the hashing algorithm treats integer-like strings specially, hashing them to their numeric value. An attacker can exploit this by crafting JSON input containing a large number of distinct strings that happen to hash to the same value due to this predictable hashing behavior. This causes excessive hash collisions within V8\u0026rsquo;s internal string table, resulting in a significant performance degradation of the Node.js process, potentially leading to denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Node.js application that uses \u003ccode\u003eJSON.parse()\u003c/code\u003e to process user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON payload containing a large number of strings.\u003c/li\u003e\n\u003cli\u003eThe crafted strings are chosen to be integer-like strings (e.g., \u0026ldquo;100\u0026rdquo;, \u0026ldquo;200\u0026rdquo;, \u0026ldquo;300\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eWhen the Node.js application calls \u003ccode\u003eJSON.parse()\u003c/code\u003e on the malicious payload, the V8 engine attempts to internalize these strings into its string table.\u003c/li\u003e\n\u003cli\u003eDue to the flawed hashing algorithm, these strings produce a large number of hash collisions.\u003c/li\u003e\n\u003cli\u003eThe excessive hash collisions cause the V8 engine to spend excessive time resolving these collisions.\u003c/li\u003e\n\u003cli\u003eThis increased processing time degrades the performance of the Node.js process, increasing CPU usage and response times.\u003c/li\u003e\n\u003cli\u003eThe Node.js application becomes unresponsive, effectively causing a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21717 leads to a denial-of-service condition, potentially impacting all users of the affected Node.js application. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, making a wide range of applications potentially vulnerable. There is no information about number of victims or sectors targeted from the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a fixed version of Node.js to remediate CVE-2026-21717.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Number of JSON Parse Operations\u003c/code\u003e to identify potential exploitation attempts by monitoring the number of \u003ccode\u003eJSON.parse()\u003c/code\u003e calls in a given timeframe.\u003c/li\u003e\n\u003cli\u003eRate limit requests to endpoints that handle JSON data to mitigate the impact of potential hash collision attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:41:03Z","date_published":"2026-05-31T07:41:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/","summary":"CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.","title":"CVE-2026-21717 Node.js V8 Hash Collision Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/"}],"language":"en","title":"CraftedSignal Threat Feed — Node.js 22.x","version":"https://jsonfeed.org/version/1.1"}