CVE-2025-27209: 
Node.js vulnerability analysis and mitigation

The vulnerability (CVE-2025-27209) is a high-severity HashDoS issue affecting Node.js v24.x users, discovered in July 2025. The vulnerability was introduced when the V8 release used in Node.js v24.0.0 changed how string hashes are computed using rapidhash. This implementation reintroduced the HashDoS vulnerability, allowing attackers to generate hash collisions without knowing the hash-seed (NodeJS Blog, NVD).

The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (High) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The technical issue stems from the rapidhash implementation in V8, which allows attackers to control strings being hashed and generate multiple hash collisions. While the V8 team did not initially classify this as a security vulnerability, the Node.js project overrode this position due to its potential real-world impact (Security Online, NodeJS Blog).

The vulnerability primarily affects the availability of Node.js applications. When exploited, it can lead to denial-of-service conditions by overwhelming hash tables and significantly degrading server performance. The attack is particularly concerning as it can be executed without requiring knowledge of the hash-seed (Security Online).

The OpenJS Foundation has released patches to address this vulnerability. Users should upgrade to Node.js v24.4.1, which contains the fix for this issue. The vulnerability has also been addressed in Node.js v20.19.4 and v22.17.1 releases (NodeJS Blog).