Skip to main content

uriparser EUVDEUVD-2026-28537

| CVE-2026-44928 LOW
Always-Incorrect Control Flow Implementation (CWE-670)
2026-05-08 mitre GHSA-xw5w-xhjv-gf29
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 09:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 08:00 vuln.today
Analysis Generated
May 08, 2026 - 08:00 vuln.today
CVE Published
May 08, 2026 - 07:15 nvd
LOW 2.9

DescriptionCVE.org

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

AnalysisAI

The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.

Technical ContextAI

uriparser is a C library for parsing Uniform Resource Identifiers according to RFC 3986. The vulnerability exists in the UriCompare.c module, specifically in the EqualsUri function family, which implements URI equality comparison. The bug stems from incorrect conditional logic that treats the absolutePath flag (which indicates whether a URI path begins with '/') as meaningful in all contexts. However, RFC 3986 semantics dictate that absolutePath is only relevant for URIs without a host component; URIs with authority (host) structures the path differently. The original code checked only whether a scheme was absent before comparing absolutePath, failing to account for the presence of a host. The fix introduces a HasHost() check to properly exclude absolutePath from comparison when a host is present, aligning the implementation with RFC 3986 path semantics. CWE-670 (Improper Validation of Incomplete Check) classifies this as incomplete validation logic in the equality check.

RemediationAI

Upgrade uriparser to version 1.0.2 or later, which corrects the absolutePath comparison logic by introducing a HasHost() check that excludes absolutePath from equality comparison when a host is present. Users unable to immediately upgrade should audit all uses of the EqualsUri function (and related equality functions) in their codebase to identify whether they are used for security-sensitive decisions such as access control, authentication, or URL whitelisting. Where such usage exists, add additional validation logic that explicitly checks URI components (scheme, authority, path) individually rather than relying on EqualsUri alone. Alternatively, implement a wrapper function that applies RFC 3986-compliant URI normalization before comparison. The remediation has no known breaking changes; patching is recommended without delay for any application using EqualsUri in security contexts.

Share

EUVD-2026-28537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy