PatchSiren cyber security CVE debrief
CVE-2026-21717 Nodejs CVE debrief
CVE-2026-21717 describes a denial-of-service issue in Node.js related to V8 string hashing. Integer-like strings can be hashed to predictable numeric values, making collisions easy to create in V8’s internal string table and significantly degrading process performance, especially when attacker-controlled JSON is parsed.
- Vendor
- Nodejs
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-30
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-30
- Advisory updated
- 2026-05-10
Who should care
Operators and developers running internet-facing Node.js services, especially APIs that call JSON.parse() on untrusted input; platform, SRE, and security teams responsible for availability and patch management.
Technical summary
The issue affects Node.js 20.x, 22.x, 24.x, and 25.x. The provided description says V8’s string hashing mechanism can map integer-like strings to their numeric value, which makes hash collisions trivially predictable. Because JSON.parse() internalizes short strings into the affected table, endpoints that parse attacker-controlled JSON are a common trigger. The impact is availability-only: an attacker can significantly degrade performance of the Node.js process, but the supplied metadata does not indicate code execution or data exposure.
Defensive priority
Medium priority for exposed Node.js services; raise to high operational priority for public APIs that accept attacker-controlled JSON, since the primary impact is service degradation/DoS.
Recommended defensive actions
- Review the Node.js March 2026 security releases advisory and deploy the vendor-fixed releases for affected 20.x, 22.x, 24.x, and 25.x deployments.
- Inventory services that call JSON.parse() on untrusted or user-supplied input and treat them as the highest-risk entry points.
- Apply request size limits, rate limiting, and upstream throttling on public JSON endpoints to reduce collision-amplification opportunities.
- Monitor CPU usage, event-loop lag, latency, and error rates for signs of request-driven performance degradation.
- Prioritize patching internet-facing services first, then internal workloads that process external or semi-trusted JSON.
Evidence notes
The supplied source corpus includes the CVE description, NVD metadata, and a reference to the Node.js March 2026 security releases page. NVD lists the CVSS vector as CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H and a CWE-328 weakness classification, with vulnStatus shown as "Awaiting Analysis". Timing context: the CVE was published on 2026-03-30T20:16:20.010Z and last modified on 2026-05-10T14:16:47.620Z. No exploit code or patch version details were supplied in the corpus.
Official resources
-
CVE-2026-21717 CVE record
CVE.org
-
CVE-2026-21717 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Public defensive debrief based only on the supplied CVE/NVD metadata and official reference link identifiers. No exploit instructions, proof-of-concept, or unsupported claims are included.