CVE-2026-21712

MEDIUM

Node.js 24.14.0 and 25.8.1 - Denial of Service via Malformed IDN in url.format()

Title source: llm

Description

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

References (2)

Core 2

Core References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

https://hackerone.com/reports/3546390

Scores

CVSS v3 5.7

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

nodejs/node 24.14.0

nodejs/node 25.8.1

Published Mar 30, 2026

Tracked Since Mar 30, 2026