Node.js URL.format() Crash via Malformed IDN
CVE-2026-21712 Published on March 30, 2026

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

NVD

Affected Versions

nodejs node:

Version 24.14.0, <= 24.14.0 is affected.
Version 25.8.1, <= 25.8.1 is affected.

Exploit Probability

EPSS

0.01%

Percentile

2.77%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Node.js URL.format() Crash via Malformed IDNCVE-2026-21712 Published on March 30, 2026

Affected Versions

Exploit Probability

Node.js URL.format() Crash via Malformed IDN
CVE-2026-21712 Published on March 30, 2026