How ZeroPath Works
Back to Blog

Node.js v24 HashDoS (CVE-2025-27209): How a V8 Hashing Change Reopened a Classic DoS Attack

A critical flaw in Node.js v24.x's V8 engine exposes applications to devastating HashDoS attacks. We dissect the technical root cause, real-world impact, and the urgent patch path for defenders.
CVE Analysis

11 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-18

Node.js v24 HashDoS (CVE-2025-27209): How a V8 Hashing Change Reopened a Classic DoS Attack

Node.js v24 HashDoS (CVE-2025-27209): How a V8 Hashing Change Reopened a Classic DoS Attack

When a single HTTP request can bring down a Node.js server, defenders must pay attention. In July 2025, a subtle change in the V8 JavaScript engine's string hashing algorithm—adopted in Node.js v24.x—reopened the door to a classic and devastating attack: HashDoS. This flaw, tracked as CVE-2025-27209, has immediate and severe implications for any organization running modern Node.js applications.

Introduction

Node.js is the backbone of millions of web applications, APIs, and microservices worldwide. Its event-driven, non-blocking architecture makes it a favorite for scalable server-side development. But with great adoption comes great risk: any vulnerability in Node.js or its dependencies can have far-reaching consequences. The V8 JavaScript engine, maintained by Google, powers Node.js's JavaScript execution. Changes in V8's internals can ripple out to every Node.js deployment.

In July 2025, security researchers discovered that the new rapidhash string hashing algorithm in V8 (as shipped in Node.js v24.0.0) made it trivial for attackers to generate massive hash collisions. This reintroduced the HashDoS problem—previously thought solved—allowing remote attackers to degrade or crash Node.js services simply by sending crafted strings. The vulnerability is critical for any public-facing Node.js v24.x deployment.

Technical Information

Vulnerability Mechanism

CVE-2025-27209 is rooted in the V8 engine's adoption of the rapidhash algorithm for string hashing, first present in Node.js v24.0.0. Unlike prior hash functions, rapidhash is deterministic and does not sufficiently randomize input, making it susceptible to collision attacks. An attacker who can control the strings being hashed—such as HTTP headers, query parameters, or JSON keys—can craft inputs that all hash to the same value. This forces JavaScript hash tables (objects, Maps) into their worst-case performance: each lookup or insertion becomes O(n), not O(1).

Exploitation Flow

  1. Attacker crafts a set of strings that are known to collide under rapidhash.
  2. Sends these strings as part of requests (e.g., as HTTP headers or JSON keys) to the target Node.js application.
  3. Node.js processes these strings, inserting them into hash-based data structures.
  4. Hash table performance collapses, causing CPU exhaustion and denial of service as the server spends excessive time resolving collisions.

Example Attack Code

// Example: Generating many colliding strings for rapidhash
const attackPayload = [];
for (let i = 0; i < 10000; i++) {
  attackPayload.push(`collision${i}`); // Crafted to collide
}
// Insert into a Map or object used by the server
attackPayload.forEach(str => someHashTable.set(str, 'payload'));

This attack does not require knowledge of the internal hash seed, nor does it require authentication. Any endpoint that accepts user-controlled strings as keys is potentially vulnerable.

Root Cause

The root cause is the insufficient randomness and collision resistance in the rapidhash implementation. The V8 team initially did not consider this a security issue, but the Node.js project recognized the practical risk for server-side applications and assigned a high-severity CVE.

Patch Information

To address the HashDoS vulnerability in V8, the Node.js team has released version 24.4.1, which includes an updated V8 engine with a revised string hashing mechanism. This update replaces the previous rapidhash implementation, which was susceptible to hash collision attacks, with a more secure hashing algorithm that mitigates the risk of Denial of Service (DoS) attacks through hash collisions. Users are strongly encouraged to upgrade to Node.js v24.4.1 to benefit from these security enhancements.

Affected Systems and Versions

CVE-2025-27209 specifically affects:

  • Node.js v24.0.0 through v24.4.0 (inclusive)
  • All platforms and configurations running these versions
  • Any application that processes user-controlled strings as keys in hash-based data structures

Earlier Node.js versions (prior to v24.0.0) and patched releases (v24.4.1 and later) are not vulnerable.

Vendor Security History

Node.js, under the OpenJS Foundation, has a mature and transparent security process. The project maintains a public vulnerability disclosure program, coordinates closely with upstream dependencies like V8, and issues regular security advisories. Notably, Node.js has faced similar issues with hash collisions in the past, and the rapid response to CVE-2025-27209—shipping a fix within weeks—demonstrates the team's commitment to security. However, the incident highlights the ongoing challenge of securing complex, layered open-source stacks where upstream changes can have unexpected downstream impacts.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo