CVE-2026-21717

{"id": "CVE-2026-21717", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-30T20:16:20.010", "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "support@hackerone.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-328"}]}], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}, {"lang": "es", "value": "Un fallo en el mecanismo de hash de cadenas de V8 hace que las cadenas similares a enteros se les aplique hash a su valor num\u00e9rico, haciendo que las colisiones de hash sean trivialmente predecibles. Al elaborar una solicitud que causa muchas de estas colisiones en la tabla interna de cadenas de V8, un atacante puede degradar significativamente el rendimiento del proceso de Node.js.\n\nEl desencadenante m\u00e1s com\u00fan es cualquier punto final que llama a `JSON.parse()` en la entrada controlada por el atacante, ya que el an\u00e1lisis JSON internaliza autom\u00e1ticamente cadenas cortas en la tabla hash afectada.\n\nEsta vulnerabilidad afecta a 20.x, 22.x, 24.x y 25.x."}], "lastModified": "2026-05-10T14:16:47.620", "sourceIdentifier": "support@hackerone.com"}