HashDoS in Node.js V8 string hashing via predictable integer-like string collisions

This repository is a standalone proof-of-concept for CVE-2026-21717, a claimed Node.js/V8 predictable string-hash collision issue leading to denial of service. It is not part of a known exploit framework. The repository contains two substantive code files: poc.js, which is the actual exploit demonstration, and hash_slot_guesser.zig, which is an analysis/helper tool for understanding and predicting V8 hash slot behavior. The main exploit capability is CPU-exhaustion DoS. poc.js constructs a large adversarial JSON payload whose data array contains many crafted integer-like strings intended to collide in V8's internalized string hash table. It first builds a long probing chain using values derived from a base value (1234) and a modulus/capacity of 2^19, then appends 2^17 repetitions of the target value to force repeated expensive lookups through that chain. The script serializes the structure with JSON.stringify({ data: payload }) and immediately calls JSON.parse(string), measuring elapsed time with process.hrtime(). The comments indicate this can drive a single parse operation to roughly 44 seconds of CPU time. There is no reverse shell, code execution, persistence, or data theft; the effect is denial of service through algorithmic complexity. The Zig file, hash_slot_guesser.zig, is not the exploit delivery mechanism but a supporting research utility. It implements simplified V8 hash computation for integer-index-like strings, predicts initial probe slots for given capacities, searches for colliding numeric strings, models quadratic probing chains, and includes an interactive/demo main routine. Its purpose is to explain and help generate collision candidates rather than directly attack a remote target. There are no hardcoded remote IPs, domains, API endpoints, or C2 locations in the exploit code. The attack is conceptually network-deliverable because the malicious JSON would be sent to any application endpoint that accepts attacker-controlled JSON and parses it. However, the repository does not include a client/server harness or a specific vulnerable URL path. The README explicitly states the common trigger is any endpoint that calls JSON.parse() on untrusted input. Repository structure is minimal: README.md documents the vulnerability and usage; poc.js is the runnable PoC; hash_slot_guesser.zig is a helper/research tool; package.json provides minimal Node metadata; .nvmrc pins a Node version; .gitignore excludes generated artifacts and dependencies. Overall, this is a credible PoC repository demonstrating an algorithmic-complexity DoS against vulnerable Node.js/V8 JSON parsing behavior.

This is a small standalone JavaScript proof-of-concept repository for CVE-2026-21717, a claimed Node.js/V8 string hashing collision denial-of-service issue. The repository contains 5 files: minimal project metadata (.nvmrc, .gitignore, package.json), a README with vulnerability explanation and mitigation guidance, and a single executable PoC script (poc.js). The exploit is not tied to a framework. The core logic is entirely in poc.js. It constructs a large array of integer-like strings using a quadratic-probing-inspired sequence based on constants MOD=2^19, CHN=2^17, and REP=2^17. First, it generates many distinct numeric strings intended to occupy collision-related positions in V8's internal string table; then it appends repeated instances of a chosen target value ('1234') to force repeated lookups through the collision chain. The script serializes this structure into JSON with JSON.stringify({ data: payload }) and immediately parses it with JSON.parse(string), measuring elapsed time with process.hrtime(). The intended effect is extreme CPU consumption during parsing due to predictable collisions in V8 string internalization. There are no hardcoded remote URLs, IPs, sockets, or C2-style endpoints in the exploit code. The network aspect is conceptual rather than implemented: the README and comments explain that an attacker would send the generated JSON body to any remote application endpoint that accepts attacker-controlled JSON and invokes JSON.parse() or equivalent parsing. As such, the exploit capability is denial of service via resource exhaustion, not code execution or persistence. Operationally, this repository is a proof of concept rather than a weaponized exploit. It demonstrates local reproduction of the expensive parse path and provides enough detail for defenders or researchers to understand the attack pattern: large attacker-supplied JSON, integer-like string keys/values, predictable collisions, and CPU amplification. The README also identifies likely real-world exposure points as web/API endpoints that parse untrusted JSON and recommends mitigations such as patching Node.js, limiting payload size, rate limiting, and adding parsing timeouts.