CVE-2026-21717 is a medium-severity vulnerability in the Node.js runtime, specifically rooted in the V8 JavaScript engine's string hashing mechanism. The flaw causes integer-like strings to be hashed to their numeric values, which makes hash collisions trivially predictable. This predictability allows an attacker to craft inputs that cause numerous hash collisions in V8's internal string table. Since Node.js frequently uses V8 for JavaScript execution, and JSON.parse() automatically internalizes short strings into this hash table, endpoints that parse JSON from untrusted sources are particularly vulnerable. When many collisions occur, the performance of the Node.js process degrades significantly, potentially leading to denial-of-service conditions by exhausting CPU resources. The vulnerability affects a broad range of Node.js versions, including 20.x, 22.x, 24.x, 25.x, and earlier major versions from 4.0 through 19.0, indicating a long-standing issue. The CVSS 3.0 base score is 5.9, reflecting a network attack vector with high attack complexity but no required privileges or user interaction, and impacting availability only. No known exploits have been reported in the wild as of the publication date. The vulnerability does not affect confidentiality or integrity but can severely impact service availability, making it a significant concern for applications relying on Node.js for JSON processing of untrusted inputs.

The primary impact of CVE-2026-21717 is denial of service through significant performance degradation of Node.js processes. Organizations running affected Node.js versions that expose JSON parsing endpoints to untrusted or attacker-controlled input are at risk of service disruption. This can lead to downtime, degraded user experience, and potential cascading failures in dependent services. Since Node.js is widely used in web applications, APIs, and microservices globally, the vulnerability could affect a large number of internet-facing services. The attack requires no authentication or user interaction, increasing the risk of automated exploitation attempts. Although no confidentiality or integrity impact exists, availability degradation can result in financial losses, reputational damage, and operational disruption. Enterprises relying on Node.js for critical infrastructure or customer-facing applications are particularly vulnerable. The broad version range affected means many legacy and current deployments may be exposed if not updated.

1. Upgrade Node.js to the latest patched versions once official fixes are released by the Node.js project. Monitor Node.js security advisories for updates. 2. Implement strict input validation and sanitization on all endpoints that parse JSON or accept string inputs to reduce the risk of attacker-controlled payloads triggering collisions. 3. Employ rate limiting and request throttling on APIs to mitigate the impact of collision-based denial-of-service attempts. 4. Use Web Application Firewalls (WAFs) or API gateways capable of detecting and blocking anomalous request patterns indicative of hash collision attacks. 5. Monitor application performance metrics and logs for unusual CPU spikes or latency increases that may indicate exploitation attempts. 6. Consider isolating critical Node.js services behind load balancers and failover mechanisms to maintain availability during attacks. 7. For legacy systems where immediate patching is not feasible, consider disabling or restricting JSON parsing of untrusted input or using alternative parsing libraries not affected by this vulnerability. 8. Conduct regular security assessments and penetration tests focusing on input handling and DoS resilience in Node.js applications.