Description
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
Published: 2026-03-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A flaw in Node.js URL processing causes an assertion failure in native code when url.format() is called with a malformed internationalized domain name that contains invalid characters. This assertion failure crashes the Node.js process, resulting in a denial of service. The vulnerability stems from a logic error in IDN handling (CWE‑168) and does not provide code execution or privilege escalation.

Affected Systems

The flaw affects the Node.js runtime (nodejs:node) in every version that has not applied the March 2026 security release. All installations that rely on url.format() and accept external input including internationalized domain names are vulnerable if they are still running a pre‑March 2026 build.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the crash by supplying a crafted IDN to a vulnerable application, which may be possible remotely if the application accepts user‑supplied URLs. No public exploit has been disclosed, but the impact of a process crash can be significant in high‑availability or single‑process services.

Generated by OpenCVE AI on April 2, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the Node.js March 2026 security releases or later
  • If an upgrade is delayed, sanitize or reject malformed internationalized domain names before passing them to url.format()
  • Verify that the running Node.js version has the March 2026 patch applied
  • Monitor application logs for unexpected crashes and surface the issue promptly

Generated by OpenCVE AI on April 2, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-739

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title URL Format Crash from Malformed Internationalized Domain Names Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing
Weaknesses CWE-168
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title URL Format Crash from Malformed Internationalized Domain Names
Weaknesses CWE-739

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
References
Metrics cvssV3_0

{'score': 5.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-30T15:52:42.507Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21712

cve-icon Vulnrichment

Updated: 2026-03-30T15:52:39.144Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T16:16:03.510

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21712

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T15:13:59Z

Links: CVE-2026-21712 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:16Z

Weaknesses