CVE-2025-27209
Public on 2025-07-18
Modified on 2025-07-21
Description
The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.
While the V8 team does not classify this as a security vulnerability, the Node.js project considers it one due to its potential impact in real-world scenarios.
This vulnerability affects Node.js v24.x users.
Impact:
This vulnerability affects all users in active release lines: 24.x
NOTE: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases#hashdos-in-v8-cve-2025-27209---high
While the V8 team does not classify this as a security vulnerability, the Node.js project considers it one due to its potential impact in real-world scenarios.
This vulnerability affects Node.js v24.x users.
Impact:
This vulnerability affects all users in active release lines: 24.x
NOTE: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases#hashdos-in-v8-cve-2025-27209---high
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | nodejs | Not Affected | ||
| Amazon Linux 2023 | nodejs20 | Not Affected | ||
| Amazon Linux 2023 | nodejs22 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |