Primary

Context

Node.js Assertion Failure in URL Processing via Malformed IDN Leads to Crash

Vulnerability

Patched

A vulnerability in Node.js URL handling has been identified, where the `url.format()` function crashes the Node.js process. This issue arises when the function is called with a malformed internationalized domain name (IDN) that contains invalid characters, leading to an assertion failure in the native code.

Impact

Exploiting this vulnerability causes the Node.js process to crash, creating a denial-of-service condition.

Remediation

Users can upgrade to Node.js versions 24.14.1 or 25.8.2, both of which include the necessary fix.

Added: Mar 30, 2026, 4:36 PM

Updated: Mar 30, 2026, 4:36 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Assertion Failure in URL Processing via Malformed IDN Leads to Crash

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating