CVE-2025-27209

Name: CVE-2025-27209
Creator: NVD / NIST
Published: 2025-07-18T23:15:23.19+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.77%

Last modified Jun 17, 2026

CVE-2025-27209 is a vulnerability of currently unknown severity. The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.. EPSS estimates a 0.77% chance of exploitation in the next 30 days.

Description

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.

Metrics

EPSS Probability

0.77%

51.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-407

References

Timeline

Published: Jul 18, 2025
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2025-27209?

How severe is CVE-2025-27209?

Severity scoring for CVE-2025-27209 is pending analysis. The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.

How do I fix CVE-2025-27209?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-27209?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST