Home
MEDIUM: 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HDefault status
unaffected
20.20.1 (semver)
affected
22.22.1 (semver)
affected
24.14.0 (semver)
affected
25.8.1 (semver)
affected
4.0 (semver) before 4.*
affected
5.0 (semver) before 5.*
affected
6.0 (semver) before 6.*
affected
7.0 (semver) before 7.*
affected
8.0 (semver) before 8.*
affected
9.0 (semver) before 9.*
affected
10.0 (semver) before 10.*
affected
11.0 (semver) before 11.*
affected
12.0 (semver) before 12.*
affected
13.0 (semver) before 13.*
affected
14.0 (semver) before 14.*
affected
15.0 (semver) before 15.*
affected
16.0 (semver) before 16.*
affected
17.0 (semver) before 17.*
affected
18.0 (semver) before 18.*
affected
19.0 (semver) before 19.*
affected
Description
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Product status
20.20.1 (semver)
22.22.1 (semver)
24.14.0 (semver)
25.8.1 (semver)
4.0 (semver) before 4.*
5.0 (semver) before 5.*
6.0 (semver) before 6.*
7.0 (semver) before 7.*
8.0 (semver) before 8.*
9.0 (semver) before 9.*
10.0 (semver) before 10.*
11.0 (semver) before 11.*
12.0 (semver) before 12.*
13.0 (semver) before 13.*
14.0 (semver) before 14.*
15.0 (semver) before 15.*
16.0 (semver) before 16.*
17.0 (semver) before 17.*
18.0 (semver) before 18.*
19.0 (semver) before 19.*
References
nodejs.org/...log/vulnerability/march-2026-security-releases