CVE-2026-21712

Summary

A flaw in Node.js URL processing causes an assertion failure in native code when url.format() is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

Affected Software

VendorProductVersion RangeStatus
nodejsnode24.14.0 <= 24.14.0affected
nodejsnode25.8.1 <= 25.8.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References