A flaw in Node.js URL processing causes an assertion failure in native code when url.format() is called with a malformed internationalized domain name that contains invalid characters. This assertion failure crashes the Node.js process, resulting in a denial of service. The vulnerability stems from a logic error in IDN handling (CWE‑168) and improper input validation leading to failures in internationalized domain name parsing (CWE‑20), and does not provide code execution or privilege escalation.

The flaw affects the Node.js runtime (nodejs:node) in every version that has not applied the March 2026 security release. All installations that rely on url.format() and accept external input including internationalized domain names are vulnerable if they are still running a pre‑March 2026 build.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the crash by supplying a crafted IDN to a vulnerable application. The likely attack vector is when the application accepts user‑supplied URLs and invokes url.format(), allowing an external attacker to provide a malformed internationalized domain name. No public exploit has been disclosed, but the impact of a process crash can be significant in high‑availability or single‑process services.