Vulnerability in Node.js URL Processing Affects Malformed IDNs
CVE-2026-21712

5.7MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-21712?

A flaw in Node.js URL processing can cause an assertion failure when the url.format() function is invoked with an improperly formatted internationalized domain name (IDN). This issue triggers a crash in the Node.js process, potentially disrupting web applications that rely on accurate URL formatting and processing. Developers are advised to update to the latest security version to mitigate this risk and ensure robust application performance.

Affected Version(s)

node 24.14.0

node 25.8.1

References

https://nodejs.org/en/blog/vulnerability/march-2026-secur...

https://hackerone.com/reports/3546390

CVSS V3.0

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Jan 4, 2026

CVE-2026-21712 Data

JSON

Nodejs

What is CVE-2026-21712?

Affected Version(s)

References

CVSS V3.0

Timeline