CVE-2026-21717 - GitHub Advisory Database (original) (raw)

1. GitHub Advisory Database
2. Unreviewed
3. CVE-2026-21717

A flaw in V8's string hashing mechanism causes integer...

Moderate severity Unreviewed PublishedMar 30, 2026 to the GitHub Advisory Database • Updated May 10, 2026

Package

Affected versions

Unknown

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-21717
• https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Published to the GitHub Advisory Database

Mar 30, 2026

Last updated

May 10, 2026