CVE-2017-11499

HIGH

Node.js 4.0-4.8.3 5.x 6.0-6.11.0 7.0-7.10.0 8.0-8.1.3 - Denial of Service via Hash Flooding

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-11499. PoCs published by open-flaw, dajneem23.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2017-11499, demonstrating both the uninitialized buffer vulnerability in Node.js v4.x and the hash flooding DoS attack affecting Node.js v4.0.0 through v8.1.3. The PoC includes multiple attack methods, including hash collision testing and memory corruption monitoring.

Description

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Exploits (2)

nomisec WORKING POC
by open-flaw · poc
https://github.com/open-flaw/CVE-2017-11499

This repository contains functional exploit code for CVE-2017-11499, demonstrating both the uninitialized buffer vulnerability in Node.js v4.x and the hash flooding DoS attack affecting Node.js v4.0.0 through v8.1.3. The PoC includes multiple attack methods, including hash collision testing and memory corruption monitoring.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Node.js v4.x, v6.x, v7.x, v8.x (up to v8.1.3)
No auth needed
Prerequisites: Node.js environment · network access to target server
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by dajneem23 · poc
https://github.com/dajneem23/CVE-2017-11499

This repository contains functional exploit code for CVE-2017-11499, demonstrating both the uninitialized buffer vulnerability in Node.js v4.x and the hash flooding DoS attack affecting Node.js versions 4.0.0 through 8.1.3. The PoC includes multiple attack methods, including hash collision testing and memory corruption monitoring.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Node.js v4.x (uninitialized buffer), Node.js v4.0.0 through v8.1.3 (hash flooding)
No auth needed
Prerequisites: Node.js environment (v4.x for uninitialized buffer, v4.0.0-v8.1.3 for hash flooding) · Network access to target server
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99959
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3002
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2908

Scores

CVSS v3 7.5
EPSS 0.0548
EPSS Percentile 91.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (50)
nodejs/node.js 4.0.0
nodejs/node.js 4.1.0
nodejs/node.js 4.1.1
nodejs/node.js 4.1.2
nodejs/node.js 4.2.0
nodejs/node.js 4.2.1
nodejs/node.js 4.2.2
nodejs/node.js 4.2.3
nodejs/node.js 4.2.4
nodejs/node.js 4.2.5
... and 40 more
Published Jul 25, 2017
Tracked Since Feb 18, 2026