CVE-2026-21717

// PoC Concept for CVE-2026-21717 // Generates a JSON payload designed to trigger hash collisions in V8 function generateMaliciousJson(size) { const obj = {}; // The vulnerability involves integer-like strings hashing to their numeric value. // This loop creates keys that stress the hash table mechanism. // In a real exploit, specific keys causing exact collisions would be calculated based on table state. for (let i = 0; i < size; i++) { // Example keys; actual collision keys depend on specific V8 implementation details obj[`key_${i}`] = "data"; } return JSON.stringify(obj); } // Usage: Send the output of this function to a vulnerable JSON parsing endpoint const payload = generateMaliciousJson(200000); console.log(payload);

{"cve": {"id": "CVE-2026-21717", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:20.010", "lastModified": "2026-05-10T14:16:47.620", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}, {"lang": "es", "value": "Un fallo en el mecanismo de hash de cadenas de V8 hace que las cadenas similares a enteros se les aplique hash a su valor numérico, haciendo que las colisiones de hash sean trivialmente predecibles. Al elaborar una solicitud que causa muchas de estas colisiones en la tabla interna de cadenas de V8, un atacante puede degradar significativamente el rendimiento del proceso de Node.js.\n\nEl desencadenante más común es cualquier punto final que llama a `JSON.parse()` en la entrada controlada por el atacante, ya que el análisis JSON internaliza automáticamente cadenas cortas en la tabla hash afectada.\n\nEsta vulnerabilidad afecta a 20.x, 22.x, 24.x y 25.x."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-328"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}