ALPINE-CVE-2026-21717
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-21717
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-21717.json
- JSON Data
- https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-21717
- Upstream
- Published
- 2026-03-30T20:16:20.010Z
- Modified
- 2026-04-05T16:31:47.271159Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls
JSON.parse()on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
- References
Affected packages
Alpine:v3.21 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:apk/alpine/nodejs?arch=source
Alpine:v3.22 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:apk/alpine/nodejs?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed22.22.2-r0
Alpine:v3.23 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:apk/alpine/nodejs?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed24.14.1-r0