Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
AnalysisAI
Pointer difference truncation to signed int in uriparser before version 1.0.2 allows local attackers to cause integer overflow and data integrity issues through specially crafted URI inputs. The vulnerability stems from unsafe casting of pointer arithmetic results (afterLast - first) to int, which can overflow on systems where pointer differences exceed INT_MAX, leading to buffer overflows, incorrect memory calculations, and potential information disclosure. While CVSS score is low (2.9) due to local attack vector and high complexity, the fix adds comprehensive overflow detection using SIZE_MAX checks, indicating real risk in applications processing untrusted URIs locally.
Technical ContextAI
uriparser is a C library that parses and manipulates Uniform Resource Identifiers (URIs) according to RFC 3986. The vulnerability resides in multiple parsing and normalization functions (UriCommon.c, UriFile.c, UriNormalize.c, UriQuery.c) that calculate buffer lengths by subtracting pointer values (pointer arithmetic). In C, pointer subtraction yields a ptrdiff_t value; the vulnerable code unsafely casts these results to signed int via (int)(ptr_b - ptr_a). On systems where pointer arithmetic results exceed INT_MAX (e.g., processing large buffers or due to memory layout), this truncation causes integer overflow, leading to negative or wrapped values used in subsequent size calculations and memory operations. CWE-197 (Numeric Truncation Error) describes this exact flaw: loss of information during type conversion. The fix replaces int with size_t for length variables, adds stdint.h includes for SIZE_MAX, and implements explicit overflow checks before memory operations, preventing wrapped values from corrupting downstream logic.
RemediationAI
Upgrade uriparser to version 1.0.2 or later, which includes comprehensive overflow detection using SIZE_MAX and size_t types across all affected functions. If immediate upgrade is not feasible, apply the patch from GitHub PR #304 (https://github.com/uriparser/uriparser/pull/304) to your codebase; critical changes include: (1) Replace int length variables with size_t in UriCommon.c (RangeEquals, RemoveDotSegmentsEx), UriFile.c (FilenameToUriString), UriNormalize.c (LowercaseInplaceExceptPercentEncoding, FixPercentEncodingEngine, FixPercentEncodingMalloc), and UriQuery.c (ComposeQueryEngine, AppendQueryItem); (2) Add overflow checks using SIZE_MAX / sizeof(URI_CHAR) before all size-based memory operations; (3) Return URI_ERROR_OUTPUT_TOO_LARGE or URI_FALSE on overflow detection. Recompile dependent applications after patching. As a temporary compensating control, restrict uriparser usage to trusted, locally-generated URI inputs and avoid processing URIs from untrusted local sources (file uploads, IPC) until patched; this control is imperfect and does not prevent all attack scenarios.
An issue was discovered in uriparser before 0.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
An issue was discovered in uriparser before 0.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
An issue was discovered in uriparser before 0.9.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
uriparser before 1.0.1 suffers a numeric truncation vulnerability in text range comparison that causes denial of service
The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent
Same weakness CWE-197 – Numeric Truncation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28536
GHSA-gmxg-5w57-j63q