Home

Description

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

PUBLISHED Reserved 2026-01-04 | Published 2026-03-30 | Updated 2026-05-10 | Assigner hackerone




MEDIUM: 5.7CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Product status

Default status
unaffected

24.14.0 (semver)
affected

25.8.1 (semver)
affected

References

nodejs.org/...log/vulnerability/march-2026-security-releases

hackerone.com/reports/3546390

cve.org (CVE-2026-21712)

nvd.nist.gov (CVE-2026-21712)

Download JSON