Skip to main content

fast-uri CVE-2026-6321

| EUVDEUVD-2026-27129 HIGH
Path Traversal (CWE-22)
2026-05-04 openjs GHSA-q3j6-qgpj-74h6
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 04, 2026 - 21:02 EUVD
Analysis Generated
May 04, 2026 - 20:31 vuln.today

DescriptionCVE.org

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

AnalysisAI

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Technical ContextAI

fast-uri is a JavaScript URI parsing and normalization library used in the Fastify web framework ecosystem. The vulnerability stems from incorrect implementation of RFC 3986 normalization: the library decodes percent-encoded characters (like %2F for '/' and %2E for '.') before performing dot-segment removal per RFC 3986 Section 5.2.4, rather than treating encoded data as opaque path segments. This violates the principle that percent-encoding should preserve semantic distinctions between literal characters and special path syntax. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), manifesting as a normalization collision vulnerability. Affected package: cpe:2.3:a:fast-uri:fast-uri:*:*:*:*:*:*:*:* (all versions through 3.1.0). Applications using this library for security-critical path comparison or prefix-matching authorization checks are vulnerable to authorization bypass.

RemediationAI

Vendor-released patch: upgrade to fast-uri version 3.1.1 or later, which corrects the normalization order to treat percent-encoded characters as opaque path data per RFC 3986. Update via npm with 'npm update fast-uri' or yarn equivalent, then verify package-lock.json reflects version >=3.1.1. For applications unable to upgrade immediately, implement compensating controls: (1) Perform authorization checks on raw, non-normalized URLs to prevent normalization-based bypasses, with trade-off that legitimate equivalent URLs may be incorrectly denied; (2) Explicitly reject URLs containing percent-encoded slashes (%2F, %5C) and dots (%2E) in security-critical paths using a pre-filter (regex: /%2[EeFf]|%5[Cc]/i), noting this breaks legitimate use cases requiring encoded special characters; (3) Use an alternative URI normalization library like 'uri-js' for security boundaries while migrating to fast-uri 3.1.1. Advisory URLs: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 and https://cna.openjsf.org/security-advisories.html. Test authorization logic after patching to ensure intended access controls remain functional.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-6321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy