CVE-2026-21717 in Node.js
摘要 (英语)
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
披露
2026-03-30
条目
| 标识符 | 漏洞 | CWE | 基础 | 临时 | 0day | 今天 | 可利用 | KEV | EPSS | CTI | 对策 | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 354148 | Node.js V8 Handler JSON.parse 拒绝服务 | 404 | 3.7 | 3.6 | $0-$5k | $0-$5k | 未定义 | 0.00000 | 5.41- | 官方修复 | CVE-2026-21717 |