Node.js V8 Hash Collision Vulnerability Leading to Performance Degradation

A vulnerability in the V8 JavaScript engine's string hashing process allows integer-like strings to be hashed as their numeric equivalents, creating predictable hash collisions. This flaw can be exploited by sending requests that generate multiple collisions, disrupting the Node.js process's performance. The issue commonly arises when `JSON.parse()` is used on input controlled by the attacker, as this automatically converts short strings into the vulnerable hash table. This vulnerability impacts Node.js versions 20.x, 22.x, 24.x, and 25.x.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by degrading the performance of the Node.js process.

Reproduction

To reproduce this vulnerability, send a request to a Node.js server with input that includes integer-like strings. The server should process this input with `JSON.parse()`, which will trigger the hashing flaw in V8. This can be done by creating an endpoint that parses JSON data from the request, effectively internalizing the short strings into V8's string table where the hash collisions can occur.

Remediation

Users can update to Node.js versions 20.20.2, 22.22.2, 24.14.1, or 25.8.2, all of which include the necessary fix.