CVE-2025-27209

NameCVE-2025-27209
DescriptionThe V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u7fixed
bookworm, bookworm (security)18.20.4+dfsg-1~deb12u1fixed
forky, trixie20.19.2+dfsg-1fixed
sid20.19.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)(not affected)

Notes

- nodejs <not-affected> (Only affects Node 24)
https://nodejs.org/en/blog/vulnerability/july-2025-security-releases#hashdos-in-v8-cve-2025-27209---high
Search for package or bug name: Reporting problems