The fix has been merged into V8 and can be enabled via `v8_enable_seeded_array_index_hash`. It has been shipped to Node.js v25, v24, v22, and v20 via the March 2026 security release.
Upgrade now to to protect your applications from this vulnerability!
With a security release deadline to meet, we interleaved the hash exploration, statistical evaluation, V8 implementation, and performance testing during the development. More details in the blog post.
We identified the vulnerable code paths across V8, refactored to improve efficiency in seed accesses, and implemented the new hash both in runtime C++ and the JIT compiler. Preliminary testing in the classic JavaScript benchmarks showed no noticeable regressions.
This is bijective, efficiently invertible, and the runtime gets to hold the randomly generated keys (multipliers) for security. It fits our threat model, where the adversary cannot see the seed or observe the hash output, and only has a limited attack budget per request.
In this construction, xorshift propagates info downward, while multiply propagates info upward through carries. They're non-linear in each other's algebra, so the combination breaks the patterns each one preserves.
To address this, we designed a hash that alternates between xorshift and multiply with randomly generated multipliers. This descends from a family of mixers widely used in the industry. You can find cousins of it in Java's SplittableRandom, MurmurHash3's finalizer, and many others.
In CVE-2026-21717, the root cause lied in the unseeded hash V8 used for integer-looking strings, which needs to be quickly reversible to the original integer to maintain V8's performance optimizations. This poses a unique challenge not present in typical string hashing.
HashDoS occurs when an attacker paralyzes a server by sending a small amount of data that causes a huge amount of collisions in the server's hash tables. The standard mitigation is to use a seeded hash, with the seed randomly generated at startup to make the collisions unpredictable.
Can a hash be both HashDoS resistant *and* quickly reversible? That's the puzzle we had to tackle in V8 for the March 2026 Node.js security release.
For details, check out our blog post (with the math for the curious!). For a quick overview, 🧵 below
nodejs.org/en/blog/vuln...
⚠️ Security releases are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines.
Please see the blog post for additional details: nodejs.org/en/blog/vulnerability/ma...
⚠️ Security release pre-alert:
We will release new versions of 20, 22, 24, 25 release lines on or shortly after 24th March, 2026 in order to address:
* 2 high severity issues
* 5 medium severity issues
* 2 low severity issues
nodejs.org/en/blog/vuln...
Node.js 25.8.1 is out, fixing a Yargs 17 compatibility issue. Full changelog and download links at nodejs.org/en/blog/rele...
Node.js is moving to one major release per year starting with Node 27! 🚀
✅ Simpler: Every release becomes LTS.
✅ Predictable: Version numbers now align with the year.
✅ New: A 6-month Alpha channel for early testing.
https://bit.ly/4rnosLg
Node.js v20.20.1 is out 🎉
This is the last planned release before v20 goes End-of-Life ❗
Release notes 👇
nodejs.org/en/blog/rele...
Announcing the @nodejs.org LTS Upgrade and Modernization Program! 🚀
We're helping enterprises move safely off end-of-life Node.js versions to reduce security risks with our partnerNodeSource.
Modern Node.js is safer Node.js. Details:
openjsf.org/blog/nodejs-...
Node.js release day! @ruyadorno.com and I just released Node.js 24.14.0 and 25.7.0, full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...
We have made our HackerOne policies even more strict. Now, if you don't have any Signal, you shouldn't be able to report through HackerOne. We advise you to contact any of the Security Release Stewards via OpenJS Slack.
nodejs.org/en/blog/anno...
GitHub is funding open source security work across dozens of projects, including OpenJS projects like @nodejs.org and Webpack.
Strong ecosystems are built through sustained investment in the software supply chain, and we appreciate @github.com's continued support of open source maintainers. 🫶
Node.js patch release day! Full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...
Big news 👀 The OpenJS Foundation is bringing a dedicated summit to RenderATL 2026. 🔥
Created by and for the JavaScript and Node.js community. Expect technical talks, real world lessons, and practical takeaways.
Check out the details + register for the conference: hubs.la/Q040sX130
That and more in v25.5.0, now out! Full changelog and download links in nodejs.org/en/blog/rele...
⚠️ The Node.js Project now requires a HackerOne Signal score of 1.0 or higher to submit vulnerability reports. This will help our team streamline reports and support effective security reviews.
nodejs.org/en/blog/anno...
Node.js v25.4.0 is out! 💚
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
Today, we published a security release for @nodejs.org that fixes a critical bug affecting virtually every production Node.js app.
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
We appreciate your patience and understanding as we work to deliver a secure and reliable release.
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
The guide is still in progress, but currently covers JavaScript packages without a build step.
More to come. Feedback, issues, and PRs are welcome!
https://github.com/nodejs/package-examples
