CVE-2026-21712

MEDIUM5.7EPSS 0.03%

發布日:1/1/1修改日:2026/4/6

描述

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

受影響套件(4)

Alpine/nodejsfrom 0, < 24.14.1-r0
Bitnami/node>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
Bitnami/node-min>= 24.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
Debian/nodejsfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

參考連結(5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-21712
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-21712
WEBhttps://hackerone.com/reports/3546390
WEBhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-21712