PatchSiren cyber security CVE debrief
CVE-2026-21712 Hackerone CVE debrief
CVE-2026-21712 is a denial-of-service issue in Node.js URL handling. According to the supplied description, calling url.format() with a malformed internationalized domain name (IDN) containing invalid characters can trigger an assertion failure in native code and crash the Node.js process. The issue was published on 2026-03-30 and later modified on 2026-05-10.
- Vendor
- Hackerone
- Product
- Unknown
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-30
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-30
- Advisory updated
- 2026-05-10
Who should care
Teams running Node.js services, especially applications that format or process URL/IDN data from external or user-controlled sources. Production operators should pay particular attention if process crashes would interrupt customer-facing services or worker queues.
Technical summary
The supplied record describes a flaw in Node.js URL processing where malformed IDN input can reach native code during url.format() and cause an assertion failure, resulting in process termination. The available NVD metadata lists the weakness as CWE-20 and the CVSS vector as AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H, which aligns with a remote, low-complexity availability impact. NVD status in the supplied corpus is "Awaiting Analysis."
Defensive priority
Medium. This is primarily an availability issue rather than a confidentiality or integrity compromise, but it can still be operationally disruptive if affected services crash on malformed input.
Recommended defensive actions
- Review whether your Node.js applications call url.format() on untrusted or externally sourced IDN/hostname data.
- Upgrade Node.js to a release that includes the March 2026 security fixes referenced by the Node.js security advisory.
- Add input validation and normalization for URL/IDN data before formatting or routing it through application logic.
- Increase crash monitoring and alerting for Node.js services that handle arbitrary URL inputs.
- Retest any URL parsing or link-generation code paths with malformed IDN cases after patching to confirm the crash no longer occurs.
Evidence notes
The supplied corpus states that malformed internationalized domain names passed to url.format() can trigger an assertion failure in native code and crash Node.js. NVD metadata in the source item lists CWE-20 and CVSS v3.0 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H, and marks the vulnerability status as "Awaiting Analysis." The record also cites a HackerOne report (3546390) and the Node.js March 2026 security releases as references. No exploit details beyond the crash condition are included here.
Official resources
Publicly disclosed in the supplied record on 2026-03-30 and updated on 2026-05-10. The source corpus does not identify this CVE as a KEV entry.