Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Remote, no auth or interaction needed to submit a malicious IDN URL; impact is a security-control bypass (integrity), with no direct confidentiality or availability loss, matching I:H/C:N/A:N.
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
AnalysisAI
Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application use fast-uri (vulnerable versions 2.3.1-3.1.2 or 4.0.0) to make a host-based security decision - denylist/allowlist checks, loopback/internal filtering, redirect destination validation, or outbound proxy routing - and then perform the actual HTTP request with a different, WHATWG-compatible parser such as Node's URL or fetch. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N scores 7.5 and is internally consistent for this class: network-reachable, low complexity, no privileges, no user interaction, with a pure integrity impact (security-control bypass) and no direct confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses fast-uri to validate that a user-supplied webhook or redirect URL does not point at internal/loopback hosts, then fetches the URL with Node's fetch. An attacker submits a URL whose host is an internationalized (Unicode) form that fast-uri leaves un-canonicalized and judges allowed, but which Node's URL parser canonicalizes to an internal target, sending the server's request to an attacker-chosen internal host (SSRF). … |
| Remediation | Upgrade fast-uri to the patched release for your line: Vendor-released patch 3.1.3 for the 3.x line, or 4.0.1 for the 4.x line, per the advisory at https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit Node.js applications and dependency manifests to identify use of fast-uri versions 2.3.1-3.1.2 or 4.0.0; prioritize systems with outbound URL enforcement or SSRF protections. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls
Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. T
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40093