{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27209", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2025-02-20T01:00:01.798Z", "datePublished": "2025-07-18T22:54:27.205Z", "dateUpdated": "2025-07-21T18:38:55.180Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "24.0.0", "status": "affected", "lessThan": "24.4.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-07-18T22:54:27.205Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-407", "lang": "en", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T17:14:28.794403Z", "id": "CVE-2025-27209", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T18:38:55.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T17:14:28.794403Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:16:08.656Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "24.0.0", "lessThan": "24.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}], "descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-07-18T22:54:27.205Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27209", "state": "PUBLISHED", "dateUpdated": "2025-07-21T18:38:55.180Z", "dateReserved": "2025-02-20T01:00:01.798Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2025-07-18T22:54:27.205Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."}, {"lang": "es", "value": "La versi\u00f3n V8 utilizada en Node.js v24.0.0 ha cambiado la forma en que se calculan los hashes de cadenas mediante rapidhash. Esta implementaci\u00f3n reintroduce la vulnerabilidad HashDoS, ya que un atacante que controle las cadenas a las que se aplicar\u00e1 el hash puede generar numerosas colisiones de hash; un atacante puede generar colisiones incluso sin conocer la semilla del hash. * Esta vulnerabilidad afecta a los usuarios de Node.js v24.x."}], "id": "CVE-2025-27209", "lastModified": "2025-07-22T13:06:07.260", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-18T23:15:23.190", "references": [{"source": "[email protected]", "url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}