{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-27209", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2025-02-20T01:00:01.798Z", "datePublished": "2025-07-18T22:54:27.205Z", "dateUpdated": "2025-11-04T21:09:46.228Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "24.0.0", "status": "affected", "lessThan": "24.4.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-07-18T22:54:27.205Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-407", "lang": "en", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T17:14:28.794403Z", "id": "CVE-2025-27209", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T18:38:55.180Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/22/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:09:46.228Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/22/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:09:46.228Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T17:14:28.794403Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:16:08.656Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "24.0.0", "lessThan": "24.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}], "descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-07-18T22:54:27.205Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27209", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:09:46.228Z", "dateReserved": "2025-02-20T01:00:01.798Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2025-07-18T22:54:27.205Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}, {"lang": "es", "value": "La versi\u00f3n V8 utilizada en Node.js v24.0.0 ha cambiado la forma en que se calculan los hashes de cadenas mediante rapidhash. Esta implementaci\u00f3n reintroduce la vulnerabilidad HashDoS, ya que un atacante que controle las cadenas a las que se aplicar\u00e1 el hash puede generar numerosas colisiones de hash; un atacante puede generar colisiones incluso sin conocer la semilla del hash. * Esta vulnerabilidad afecta a los usuarios de Node.js v24.x."}], "id": "CVE-2025-27209", "lastModified": "2025-11-04T22:16:08.007", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-18T23:15:23.190", "references": [{"source": "[email protected]", "url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/07/22/2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: Node.js Rapidhash HashDoS Vulnerability", "id": "2382040", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2382040"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\n* This vulnerability affects Node.js v24.x users.", "A flaw was found in nodejs. The V8 component\u2019s rapidhash implementation introduces a HashDoS vulnerability, allowing an attacker who can control the strings being hashed to trigger excessive CPU usage by generating numerous hash collisions. This exploitation vector results in an application level denial of service condition due to resource exhaustion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-27209", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-18T22:54:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27209\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27209\nhttps://nodejs.org/en/blog/vulnerability/july-2025-security-releases"], "statement": "The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the application layer, without compromising the underlying system stability.\nNo Red Hat products or offerings are affected by this vulnerability.", "threat_severity": "Moderate"}