View all Vulnerabilities

CVE-2026-21717

No items found.
Affects
Node.js
in
Node.js
No items found.
Versions
<20.20.2 >=22.0.0 <22.22.2 >=24.0.0 <24.14.1 >=25.0.0 <25.8.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Node.js is a widely used open-source, cross-platform JavaScript runtime built on Chrome’s V8 engine. It enables developers to build scalable server-side and networking applications using an event-driven, non-blocking I/O model, making it a popular choice for APIs, microservices, and real-time web applications.

A Hash Denial of Service (HashDoS) vulnerability (CVE-2026-21717) has been identified in Node.js due to improper handling of string hashing within the V8 engine. Specifically, integer-like strings are deterministically hashed to their numeric values, making hash collisions predictable. This allows attackers to craft malicious inputs, commonly via JSON payloads that trigger excessive hash collisions, leading to significant CPU consumption and degradation of application performance.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects multiple supported versions of Node.js, including the v20.x, v22.x, v24.x, and v25.x release lines.

Details

Module Info

  • Product: Node.js
  • Affected versions:
    • <20.20.2
    • >=22.0.0 <22.22.2
    • >=24.0.0 <24.14.1
    • >=25.0.0 <25.8.2
  • GitHub repository: https://github.com/nodejs/node
  • Fixed in:
    • OSS Node.js v20.20.2, v22.22.2, v24.14.1 and v25.8.2
    • Node.js NES v12.22.16, v14.21.10, v16.20.11, v18.20.16

Vulnerability Info

This medium-severity vulnerability affects multiple supported versions of the Node.js runtime.

This issue is particularly impactful in applications that process untrusted input, such as APIs that use JSON.parse(), as these inputs are automatically inserted into internal hash tables, making exploitation feasible over the network without authentication.

Node.js relies on the V8 JavaScript engine, which uses hash tables to efficiently manage object property storage and lookup operations. Under normal conditions, these hashing mechanisms are designed to evenly distribute keys, ensuring consistent and performant access times even when handling large volumes of data.

In affected versions, integer-like string values are hashed deterministically to their numeric equivalents. This behavior introduces predictability into the hashing algorithm, allowing attackers to deliberately construct inputs that produce excessive hash collisions. When such inputs are processed through common mechanisms like JSON.parse() that transform user-controlled data into JavaScript objects, these collisions accumulate within internal hash tables.

As a result, standard object operations degrade from near constant-time performance to significantly slower execution. In worst-case scenarios, this leads to substantial CPU consumption and event loop blocking. Because Node.js executes JavaScript in a single-threaded environment, this degradation can directly impact the availability and responsiveness of the entire application.

Successful exploitation of this vulnerability results in a Denial of Service (DoS) condition, which may include:

  • Application performance degradation: Requests are delayed or stalled due to excessive computation.
  • Service disruption: Legitimate users may be unable to access or interact with the application.
  • Infrastructure strain: Elevated CPU usage can impact co-located services or increase operational costs.

Mitigation

Organizations are advised to upgrade to patched Node.js versions provided by the Node.js Security Release Team. Where immediate upgrades are not feasible, mitigations such as limiting request payload sizes, validating input structures, and implementing rate limiting can help reduce exposure.

Node.js versions prior to v20.x are End-of-Life and will not receive any updates to address this issue. For more information visit the Node Release Page.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a patched version of Node.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2022-32215
CVE-2022-32214
CVE-2022-32212
CVE-2022-32213
CVE-2022-32223
CVE-2022-35256
CVE-2023-30589
CVE-2023-32559
CVE-2023-38552
CVE-2023-30590
CVE-2024-22019
CVE-2024-22025
CVE-2024-21892
CVE-2024-27983
CVE-2024-27982
CVE-2024-27982
CVE-2024-36138
CVE-2023-46809
HD-2024-1409
HD-2024-1408
HD-2024-1407
CVE-2024-27980
CVE-2025-23084
CVE-2025-23085
CVE-2025-23166
CVE-2025-23167
CVE-2025-27210
CVE-2025-59465
CVE-2026-21717
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-21717
PROJECT Affected
Node.js
Versions Affected
<20.20.2 >=22.0.0 <22.22.2 >=24.0.0 <24.14.1 >=25.0.0 <25.8.2
NES Versions Affected
Published date
April 13, 2026
≈ Fix date
March 24, 2026
Fixed in
NES for Node.js
Category
No items found.
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Node.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.