CVE-2025-27209 | THREATINT

Description

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.

PUBLISHED Reserved 2025-02-20 | Published 2025-07-18 | Updated 2025-11-04 | Assigner hackerone

HIGH: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Product status

Default status

unaffected

24.0.0 (semver) before 24.4.1

affected

References

www.openwall.com/lists/oss-security/2025/07/22/2

nodejs.org/en/blog/vulnerability/july-2025-security-releases

cve.org (CVE-2025-27209)

nvd.nist.gov (CVE-2025-27209)

Download JSON