Description
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
Published: 2026-03-30
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service (process crash)
Action: Immediate Patch
AI Analysis

Impact

A flaw in Node.js causes an assertion failure within the native code when its url.format() function processes a malformed internationalized domain name containing invalid characters. The assertion triggers a crash of the Node.js process, resulting in an availability loss for the application but does not directly expose confidentiality or integrity vulnerabilities.

Affected Systems

The vulnerability is present in the Node.js runtime itself, i.e., the nodejs:node product. Because no specific version range is supplied, all Node.js releases that include the affected url.format() implementation are potentially impacted until the March 2026 security updates are applied.

Risk and Exploitability

With a CVSS score of 5.7 the flaw is considered moderate in severity. Exploitation requires an attacker to supply a specially crafted malformed IDN to a Node.js application that calls url.format(), after which the application process terminates deterministically. No remote code execution or data compromise is reported, yet a crash can be leveraged for denial‑of‑service attacks. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so the risk remains moderate but actionable.

Generated by OpenCVE AI on March 30, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest security release issued in March 2026
  • If an upgrade cannot be performed immediately, validate or sanitize any internationalized domain names before passing them to url.format()
  • Audit any third‑party dependencies that call url.format() and apply patches or workarounds for the same flaw
  • Verify that the updated runtime no longer crashes when formatting malformed IDNs

Generated by OpenCVE AI on March 30, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title URL Format Crash from Malformed Internationalized Domain Names
Weaknesses CWE-739

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
References
Metrics cvssV3_0

{'score': 5.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-30T15:52:42.507Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21712

cve-icon Vulnrichment

Updated: 2026-03-30T15:52:39.144Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:03.510

Modified: 2026-03-30T16:16:03.510

Link: CVE-2026-21712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:37Z

Weaknesses