Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
Conclusion & alert: CVE-2017-11499 is rated High Risk (67/100): CVSS High severity, with high exploitation likelihood (EPSS 5.48%, 92th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.93% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.55% | 5.48% | +4.93% |
| 2 | 2026-05-24 | 0.38% | 0.55% | +0.17% |
| 3 | 2026-03-08 | — | 0.38% | — |
Full EPSS history (15 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2017-11499 unimportant priority: Debian including 1 source packages (nodejs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-11499 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-11499 |
suse
|
medium | CVE-2017-11499 severity moderate: SUSE including 216 source package names (MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, …), 539 product×package rows across 33 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.0, … (33 product lines)): Fixed 414, Known Not Affected 125. | https://www.suse.com/security/cve/CVE-2017-11499/ |
ubuntu
|
medium | CVE-2017-11499 medium priority: Ubuntu including 1 source packages (nodejs), 21 status rows across 21 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial, zesty): not-affected 18, ignored 1, needed 1, released 1. | https://ubuntu.com/security/CVE-2017-11499 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| nodejs | node.js | 4.0.0 | cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.1.0 | cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.1.1 | cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.1.2 | cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.0 | cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.1 | cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.2 | cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.3 | cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.4 | cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.5 | cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:* |
| nodejs | node.js | 4.2.6 | cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:* |
| nodejs | node.js | 4.3.0 | cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.3.1 | cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.3.2 | cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.0 | cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.1 | cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.2 | cpe:2.3:a:nodejs:node.js:4.4.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.3 | cpe:2.3:a:nodejs:node.js:4.4.3:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.4 | cpe:2.3:a:nodejs:node.js:4.4.4:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.5 | cpe:2.3:a:nodejs:node.js:4.4.5:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.6 | cpe:2.3:a:nodejs:node.js:4.4.6:*:*:*:*:*:*:* |
| nodejs | node.js | 4.4.7 | cpe:2.3:a:nodejs:node.js:4.4.7:*:*:*:*:*:*:* |
| nodejs | node.js | 4.5.0 | cpe:2.3:a:nodejs:node.js:4.5.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.6.0 | cpe:2.3:a:nodejs:node.js:4.6.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.6.1 | cpe:2.3:a:nodejs:node.js:4.6.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.6.2 | cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.7.0 | cpe:2.3:a:nodejs:node.js:4.7.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.7.1 | cpe:2.3:a:nodejs:node.js:4.7.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.7.2 | cpe:2.3:a:nodejs:node.js:4.7.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.7.3 | cpe:2.3:a:nodejs:node.js:4.7.3:*:*:*:*:*:*:* |
| nodejs | node.js | 4.8.0 | cpe:2.3:a:nodejs:node.js:4.8.0:*:*:*:*:*:*:* |
| nodejs | node.js | 4.8.1 | cpe:2.3:a:nodejs:node.js:4.8.1:*:*:*:*:*:*:* |
| nodejs | node.js | 4.8.2 | cpe:2.3:a:nodejs:node.js:4.8.2:*:*:*:*:*:*:* |
| nodejs | node.js | 4.8.3 | cpe:2.3:a:nodejs:node.js:4.8.3:*:*:*:*:*:*:* |
| nodejs | node.js | 5.0.0 | cpe:2.3:a:nodejs:node.js:5.0.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.1.0 | cpe:2.3:a:nodejs:node.js:5.1.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.1.1 | cpe:2.3:a:nodejs:node.js:5.1.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.2.0 | cpe:2.3:a:nodejs:node.js:5.2.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.3.0 | cpe:2.3:a:nodejs:node.js:5.3.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.4.0 | cpe:2.3:a:nodejs:node.js:5.4.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.4.1 | cpe:2.3:a:nodejs:node.js:5.4.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.5.0 | cpe:2.3:a:nodejs:node.js:5.5.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.6.0 | cpe:2.3:a:nodejs:node.js:5.6.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.7.0 | cpe:2.3:a:nodejs:node.js:5.7.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.7.1 | cpe:2.3:a:nodejs:node.js:5.7.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.8.0 | cpe:2.3:a:nodejs:node.js:5.8.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.9.0 | cpe:2.3:a:nodejs:node.js:5.9.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.9.1 | cpe:2.3:a:nodejs:node.js:5.9.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.10.0 | cpe:2.3:a:nodejs:node.js:5.10.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.10.1 | cpe:2.3:a:nodejs:node.js:5.10.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.11.0 | cpe:2.3:a:nodejs:node.js:5.11.0:*:*:*:*:*:*:* |
| nodejs | node.js | 5.11.1 | cpe:2.3:a:nodejs:node.js:5.11.1:*:*:*:*:*:*:* |
| nodejs | node.js | 5.12.0 | cpe:2.3:a:nodejs:node.js:5.12.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.0.0 | cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.1.0 | cpe:2.3:a:nodejs:node.js:6.1.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.2.0 | cpe:2.3:a:nodejs:node.js:6.2.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.2.1 | cpe:2.3:a:nodejs:node.js:6.2.1:*:*:*:*:*:*:* |
| nodejs | node.js | 6.2.2 | cpe:2.3:a:nodejs:node.js:6.2.2:*:*:*:*:*:*:* |
| nodejs | node.js | 6.3.0 | cpe:2.3:a:nodejs:node.js:6.3.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.3.1 | cpe:2.3:a:nodejs:node.js:6.3.1:*:*:*:*:*:*:* |
| nodejs | node.js | 6.4.0 | cpe:2.3:a:nodejs:node.js:6.4.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.5.0 | cpe:2.3:a:nodejs:node.js:6.5.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.6.0 | cpe:2.3:a:nodejs:node.js:6.6.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.7.0 | cpe:2.3:a:nodejs:node.js:6.7.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.8.0 | cpe:2.3:a:nodejs:node.js:6.8.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.8.1 | cpe:2.3:a:nodejs:node.js:6.8.1:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.0 | cpe:2.3:a:nodejs:node.js:6.9.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.1 | cpe:2.3:a:nodejs:node.js:6.9.1:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.2 | cpe:2.3:a:nodejs:node.js:6.9.2:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.3 | cpe:2.3:a:nodejs:node.js:6.9.3:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.4 | cpe:2.3:a:nodejs:node.js:6.9.4:*:*:*:*:*:*:* |
| nodejs | node.js | 6.9.5 | cpe:2.3:a:nodejs:node.js:6.9.5:*:*:*:*:*:*:* |
| nodejs | node.js | 6.10.0 | cpe:2.3:a:nodejs:node.js:6.10.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.10.1 | cpe:2.3:a:nodejs:node.js:6.10.1:*:*:*:*:*:*:* |
| nodejs | node.js | 6.10.2 | cpe:2.3:a:nodejs:node.js:6.10.2:*:*:*:*:*:*:* |
| nodejs | node.js | 6.10.3 | cpe:2.3:a:nodejs:node.js:6.10.3:*:*:*:*:*:*:* |
| nodejs | node.js | 6.11.0 | cpe:2.3:a:nodejs:node.js:6.11.0:*:*:*:*:*:*:* |
| nodejs | node.js | 6.11.1 | cpe:2.3:a:nodejs:node.js:6.11.1:*:*:*:*:*:*:* |
| nodejs | node.js | 7.0.0 | cpe:2.3:a:nodejs:node.js:7.0.0:*:*:*:*:*:*:* |
| nodejs | node.js | 7.1.0 | cpe:2.3:a:nodejs:node.js:7.1.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/99959 | Third Party Advisory VDB Entry |
| https://access.redhat.com/errata/RHSA-2017:2908 | |
| https://access.redhat.com/errata/RHSA-2017:3002 | |
| https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ | Patch Vendor Advisory |