What is the CVSS score of CVE-2026-21717?

CVE-2026-21717 has a CVSS 3.0 base score of 5.9 (Medium). CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-21717?

Yes, a patch is available for CVE-2026-21717. Update the affected software to the latest version immediately.

Node.js CVE-2026-21717

EUVD-2026-17182 MEDIUM

Use of Weak Hash (CWE-328)

2026-03-30 hackerone

GHSA-326m-34v3-gv5p

Information Disclosure Node.js

5.9

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 30, 2026 - 19:30 euvd

EUVD-2026-17182

Analysis Generated

Mar 30, 2026 - 19:30 vuln.today

CVE Published

Mar 30, 2026 - 19:07 nvd

MEDIUM 5.9

DescriptionNVD

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.

The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

AnalysisAI

Denial of service in Node.js 20.x, 22.x, 24.x, and 25.x via predictable hash collisions in V8's string hashing mechanism allows unauthenticated remote attackers to degrade process performance by crafting requests with specially-crafted JSON payloads that trigger collision cascades in the internal string table. CVSS 5.9 (moderate severity, high attack complexity). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

Ubuntu

Priority: Medium

nodejs

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
questing	needs-triage	-
upstream	released	22.22.2+dfsg+~cs22.19.15-1

Debian

nodejs

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	12.22.12~dfsg-1~deb11u4	-
bullseye (security)	vulnerable	12.22.12~dfsg-1~deb11u7	-
bookworm, bookworm (security)	vulnerable	18.20.4+dfsg-1~deb12u1	-
trixie	fixed	20.19.2+dfsg-1+deb13u2	-
trixie (security)	fixed	20.19.2+dfsg-1+deb13u2	-
forky	vulnerable	22.22.1+dfsg+~cs22.19.15-1	-
sid	fixed	22.22.2+dfsg+~cs22.19.15-1	-
(unstable)	fixed	22.22.2+dfsg+~cs22.19.15-1	-

DSA-6183-1

CVE-2026-21717 vulnerability details – vuln.today

Back

Node.js CVE-2026-21717

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code