Inefficient Algorithmic Complexity

CVE-2025-27209

High

7.5/10

Summary

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using `rapidhash`. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. This vulnerability affects Node.js v24.x through v24.4.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-407 - Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

References

Advisory
Advisory
Release Note

Advisory Timeline

Published Jul 18, 2025

Inefficient Algorithmic Complexity

CVE-2025-27209

Summary

CWE-407 - Inefficient Algorithmic Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS