Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

The Node.js Blog offers developers insights into Node.js runtime, JavaScript ecosystem, and server-side development. Developers can learn about asynchronous programming, event-driven architecture, and building scalable web applications with Node.js, as well as explore updates, releases, and best practices from the Node.js community.

Node.js

A deep technical post by Joyee Cheung detailing how CVE-2026-21717 was addressed in Node.js's March 2026 security release. The vulnerability stemmed from V8's array index strings using a fully deterministic, unseeded hash, making them trivially exploitable for hash flooding attacks. The fix required designing a hash that is both HashDoS resistant and efficiently reversible — since V8 uses the hash field to recover integer values directly without re-parsing strings. The solution is a 3-round xorshift-multiply permutation operating on a 24-bit space, seeded with multipliers derived from V8's existing rapidhash secrets. The post covers the threat model, why naive approaches (XOR, linear congruential) fail, statistical evaluation using the strict avalanche criterion, implementation details across V8's C++ runtime and JIT-compiled paths, and benchmark results showing near-zero performance impact.

Node.js — Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8

What is HashDoS and why does it matter for Node.js?

HashDoS resistant vs. efficiently reversible