Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
AnalysisAI
The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.
Technical ContextAI
uriparser is a C library for parsing Uniform Resource Identifiers according to RFC 3986. The vulnerability exists in the UriCompare.c module, specifically in the EqualsUri function family, which implements URI equality comparison. The bug stems from incorrect conditional logic that treats the absolutePath flag (which indicates whether a URI path begins with '/') as meaningful in all contexts. However, RFC 3986 semantics dictate that absolutePath is only relevant for URIs without a host component; URIs with authority (host) structures the path differently. The original code checked only whether a scheme was absent before comparing absolutePath, failing to account for the presence of a host. The fix introduces a HasHost() check to properly exclude absolutePath from comparison when a host is present, aligning the implementation with RFC 3986 path semantics. CWE-670 (Improper Validation of Incomplete Check) classifies this as incomplete validation logic in the equality check.
RemediationAI
Upgrade uriparser to version 1.0.2 or later, which corrects the absolutePath comparison logic by introducing a HasHost() check that excludes absolutePath from equality comparison when a host is present. Users unable to immediately upgrade should audit all uses of the EqualsUri function (and related equality functions) in their codebase to identify whether they are used for security-sensitive decisions such as access control, authentication, or URL whitelisting. Where such usage exists, add additional validation logic that explicitly checks URI components (scheme, authority, path) individually rather than relying on EqualsUri alone. Alternatively, implement a wrapper function that applies RFC 3986-compliant URI normalization before comparison. The remediation has no known breaking changes; patching is recommended without delay for any application using EqualsUri in security contexts.
An issue was discovered in uriparser before 0.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
An issue was discovered in uriparser before 0.9.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
An issue was discovered in uriparser before 0.9.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
uriparser before 1.0.1 suffers a numeric truncation vulnerability in text range comparison that causes denial of service
Pointer difference truncation to signed int in uriparser before version 1.0.2 allows local attackers to cause integer ov
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28537
GHSA-xw5w-xhjv-gf29