Node.js 24.x — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/node.js-24.x/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 31 May 2026 07:41:03 +0000CVE-2026-21717 Node.js V8 Hash Collision Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/Sun, 31 May 2026 07:41:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.CVE-2026-21717 is a vulnerability affecting Node.js versions 20.x, 22.x, 24.x, and 25.x. The flaw resides in the V8 JavaScript engine’s string hashing mechanism. When Node.js parses JSON, V8 internalizes short strings into a hash table. This vulnerability occurs because the hashing algorithm treats integer-like strings specially, hashing them to their numeric value. An attacker can exploit this by crafting JSON input containing a large number of distinct strings that happen to hash to the same value due to this predictable hashing behavior. This causes excessive hash collisions within V8’s internal string table, resulting in a significant performance degradation of the Node.js process, potentially leading to denial of service.

Attack Chain

  1. The attacker identifies a Node.js application that uses JSON.parse() to process user-supplied input.
  2. The attacker crafts a JSON payload containing a large number of strings.
  3. The crafted strings are chosen to be integer-like strings (e.g., “100”, “200”, “300”).
  4. When the Node.js application calls JSON.parse() on the malicious payload, the V8 engine attempts to internalize these strings into its string table.
  5. Due to the flawed hashing algorithm, these strings produce a large number of hash collisions.
  6. The excessive hash collisions cause the V8 engine to spend excessive time resolving these collisions.
  7. This increased processing time degrades the performance of the Node.js process, increasing CPU usage and response times.
  8. The Node.js application becomes unresponsive, effectively causing a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-21717 leads to a denial-of-service condition, potentially impacting all users of the affected Node.js application. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, making a wide range of applications potentially vulnerable. There is no information about number of victims or sectors targeted from the provided source.

Recommendation

  • Apply available patches or upgrade to a fixed version of Node.js to remediate CVE-2026-21717.
  • Deploy the Sigma rule Detect High Number of JSON Parse Operations to identify potential exploitation attempts by monitoring the number of JSON.parse() calls in a given timeframe.
  • Rate limit requests to endpoints that handle JSON data to mitigate the impact of potential hash collision attacks.
]]>mediumadvisorydoshash-collisionnode.js