Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8

Node.js released a technical deep dive into CVE-2026-21717, a HashDoS vulnerability affecting the V8 JavaScript engine. The vulnerability stemmed from deterministic hashing of array index strings (integers up to 24 bits), which allowed attackers to craft JSON payloads causing O(n^2) collisions in internal hash tables. This could lead to extreme asymmetric resource consumption, effectively freezing the event loop. The mitigation involves a new 'minimally HashDoS resistant' integer hash that is seeded at startup but remains reversible to support V8's performance optimizations like fast string-to-integer conversion. The fix is included in the March 2026 security releases for Node.js v20, v22, v24, and v25.