BIT-node-min-2026-21717

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2026-21717.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-node-min-2026-21717

Aliases

BIT-node-2026-21717
CVE-2026-21717

Published

2026-04-06T07:59:01.329Z

Modified

2026-04-06T08:41:21.410562756Z

Summary

[none]

Details

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / node-min

Package

Name: node-min
Purl: pkg:bitnami/node-min

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.20.2

Introduced

21.0.0

Fixed

24.14.1

Introduced

25.0.0

Fixed

25.8.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2026-21717.json"