CVE-2026-21712

MEDIUM5.7EPSS 0.03%

Published: 1/1/1Modified: 3/31/2026

Also known as:ALPINE-CVE-2026-21712

Description

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

Affected packages (4)

Alpine/nodejsfrom 0, < 24.14.1-r0
Bitnami/node>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
Bitnami/node-min>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
Debian/nodejsfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-21712
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-21712
WEBhttps://hackerone.com/reports/3546390
WEBhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-21712