{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21712", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T15:13:59.172Z", "dateUpdated": "2026-03-30T15:52:42.507Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}, {"url": "https://hackerone.com/reports/3546390"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.7, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T15:13:59.172Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:52:17.619170Z", "id": "CVE-2026-21712", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:42.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:52:17.619170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:39.144Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}, {"url": "https://hackerone.com/reports/3546390"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T15:13:59.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21712", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:52:42.507Z", "dateReserved": "2026-01-04T15:00:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T15:13:59.172Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "id": "CVE-2026-21712", "lastModified": "2026-03-30T16:16:03.510", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-30T16:16:03.510", "references": [{"source": "[email protected]", "url": "https://hackerone.com/reports/3546390"}, {"source": "[email protected]", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T17:23:35.060257+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to the latest security release issued in March\u00a02026", "If an upgrade cannot be performed immediately, validate or sanitize any internationalized domain names before passing them to url.format()", "Audit any third\u2011party dependencies that call url.format() and apply patches or workarounds for the same flaw", "Verify that the updated runtime no longer crashes when formatting malformed IDNs"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (process crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Node.js runtime itself, i.e., the nodejs:node product. Because no specific version range is supplied, all Node.js releases that include the affected url.format() implementation are potentially impacted until the March\u00a02026 security updates are applied.", "description_and_impact": "A flaw in Node.js causes an assertion failure within the native code when its url.format() function processes a malformed internationalized domain name containing invalid characters. The assertion triggers a crash of the Node.js process, resulting in an availability loss for the application but does not directly expose confidentiality or integrity vulnerabilities.", "risk_and_exploitability": "With a CVSS score of 5.7 the flaw is considered moderate in severity. Exploitation requires an attacker to supply a specially crafted malformed IDN to a Node.js application that calls url.format(), after which the application process terminates deterministically. No remote code execution or data compromise is reported, yet a crash can be leveraged for denial\u2011of\u2011service attacks. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so the risk remains moderate but actionable."}}}}, "created": "2026-03-30T20:55:37.309291+00:00", "title": "URL Format Crash from Malformed Internationalized Domain Names", "updated": "2026-03-30T20:55:37.309518+00:00", "vendors": [], "weaknesses": ["CWE-739"]}