CVE-2026-21717
ADVISORY - nistSummary
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
EPSS Score: 0.00283 (0.202)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Use of Weak Hash
ADVISORY - redhat
Use of Weak Hash
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in