CVE-2026-21717

ADVISORY - nist

Summary

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

EPSS Score: 0.00283 (0.202)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Use of Weak Hash

ADVISORY - redhat

Use of Weak Hash


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in