Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
AnalysisAI
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.
Technical ContextAI
fast-uri is a JavaScript URI parsing and normalization library used in the Fastify web framework ecosystem. The vulnerability stems from incorrect implementation of RFC 3986 normalization: the library decodes percent-encoded characters (like %2F for '/' and %2E for '.') before performing dot-segment removal per RFC 3986 Section 5.2.4, rather than treating encoded data as opaque path segments. This violates the principle that percent-encoding should preserve semantic distinctions between literal characters and special path syntax. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), manifesting as a normalization collision vulnerability. Affected package: cpe:2.3:a:fast-uri:fast-uri:*:*:*:*:*:*:*:* (all versions through 3.1.0). Applications using this library for security-critical path comparison or prefix-matching authorization checks are vulnerable to authorization bypass.
RemediationAI
Vendor-released patch: upgrade to fast-uri version 3.1.1 or later, which corrects the normalization order to treat percent-encoded characters as opaque path data per RFC 3986. Update via npm with 'npm update fast-uri' or yarn equivalent, then verify package-lock.json reflects version >=3.1.1. For applications unable to upgrade immediately, implement compensating controls: (1) Perform authorization checks on raw, non-normalized URLs to prevent normalization-based bypasses, with trade-off that legitimate equivalent URLs may be incorrectly denied; (2) Explicitly reject URLs containing percent-encoded slashes (%2F, %5C) and dots (%2E) in security-critical paths using a pre-filter (regex: /%2[EeFf]|%5[Cc]/i), noting this breaks legitimate use cases requiring encoded special characters; (3) Use an alternative URI normalization library like 'uri-js' for security boundaries while migrating to fast-uri 3.1.1. Advisory URLs: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 and https://cna.openjsf.org/security-advisories.html. Test authorization logic after patching to ensure intended access controls remain functional.
Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. T
Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remot
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27129
GHSA-q3j6-qgpj-74h6