EUVD-2026-17093
GHSA-h8r7-m85c-mjhv
5.7
CVSS 3.0
Share
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Lifecycle Timeline
4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 16:00 vuln.today
EUVD ID Assigned
Mar 30, 2026 - 16:00 euvd
EUVD-2026-17093
CVE Published
Mar 30, 2026 - 15:13 nvd
MEDIUM 5.7
Description
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
Analysis
Denial of service in Node.js url.format() function allows authenticated remote attackers to crash Node.js processes by supplying malformed internationalized domain names (IDNs) with invalid characters, triggering an assertion failure in native code. CVSS 5.7 (medium severity) with EPSS exploitation probability not independently confirmed. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
29
Low
Medium
High
Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0
Vendor Status
Ubuntu
Priority: Mediumnodejs
| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
nodejs
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 12.22.12~dfsg-1~deb11u4 | - |
| bullseye (security) | fixed | 12.22.12~dfsg-1~deb11u7 | - |
| bookworm, bookworm (security) | fixed | 18.20.4+dfsg-1~deb12u1 | - |
| trixie | fixed | 20.19.2+dfsg-1 | - |
| trixie (security) | fixed | 20.19.2+dfsg-1+deb13u2 | - |
| forky | fixed | 22.22.1+dfsg+~cs22.19.15-1 | - |
| sid | fixed | 22.22.2+dfsg+~cs22.19.15-1 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).