{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21712", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T15:13:59.172Z", "dateUpdated": "2026-03-30T15:52:42.507Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}, {"url": "https://hackerone.com/reports/3546390"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.7, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T15:13:59.172Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:52:17.619170Z", "id": "CVE-2026-21712", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:42.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:52:17.619170Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:52:39.144Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}, {"url": "https://hackerone.com/reports/3546390"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T15:13:59.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21712", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:52:42.507Z", "dateReserved": "2026-01-04T15:00:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T15:13:59.172Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}], "id": "CVE-2026-21712", "lastModified": "2026-03-30T16:16:03.510", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T16:16:03.510", "references": [{"source": "support@hackerone.com", "url": "https://hackerone.com/reports/3546390"}, {"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing", "id": "2453037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453037"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-168", "details": ["A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.", "A flaw was found in Node.js. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a malformed Internationalized Domain Name (IDN) to the `url.format()` function. When processed, this malformed input triggers an internal error, causing the Node.js application to crash. This can disrupt services and make them unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21712", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T15:13:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21712\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21712\nhttps://hackerone.com/reports/3546390\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-30T17:23:35.060257+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to the latest security release issued in March\u00a02026", "If an upgrade cannot be performed immediately, validate or sanitize any internationalized domain names before passing them to url.format()", "Audit any third\u2011party dependencies that call url.format() and apply patches or workarounds for the same flaw", "Verify that the updated runtime no longer crashes when formatting malformed IDNs"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (process crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Node.js runtime itself, i.e., the nodejs:node product. Because no specific version range is supplied, all Node.js releases that include the affected url.format() implementation are potentially impacted until the March\u00a02026 security updates are applied.", "description_and_impact": "A flaw in Node.js causes an assertion failure within the native code when its url.format() function processes a malformed internationalized domain name containing invalid characters. The assertion triggers a crash of the Node.js process, resulting in an availability loss for the application but does not directly expose confidentiality or integrity vulnerabilities.", "risk_and_exploitability": "With a CVSS score of 5.7 the flaw is considered moderate in severity. Exploitation requires an attacker to supply a specially crafted malformed IDN to a Node.js application that calls url.format(), after which the application process terminates deterministically. No remote code execution or data compromise is reported, yet a crash can be leveraged for denial\u2011of\u2011service attacks. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so the risk remains moderate but actionable."}}}}, "created": "2026-03-30T20:55:37.309291+00:00", "title": "URL Format Crash from Malformed Internationalized Domain Names", "updated": "2026-03-30T20:55:37.309518+00:00", "vendors": [], "weaknesses": ["CWE-739"]}