Skip to main content

fast-uri EUVDEUVD-2026-40093

| CVE-2026-13676 HIGH
Interpretation Conflict (CWE-436)
2026-06-29 openjs
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Remote, no auth or interaction needed to submit a malicious IDN URL; impact is a security-control bypass (integrity), with no direct confidentiality or availability loss, matching I:H/C:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 15:01 EUVD
Analysis Generated
Jun 29, 2026 - 14:24 vuln.today

DescriptionCVE.org

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

AnalysisAI

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint that validates URL host via fast-uri
Delivery
Craft URL with Unicode/IDN hostname
Exploit
fast-uri leaves host un-canonicalized and passes policy check
Execution
Node URL/fetch resolves host to internal target
Impact
Server issues request to attacker-chosen host (SSRF/policy bypass)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application use fast-uri (vulnerable versions 2.3.1-3.1.2 or 4.0.0) to make a host-based security decision - denylist/allowlist checks, loopback/internal filtering, redirect destination validation, or outbound proxy routing - and then perform the actual HTTP request with a different, WHATWG-compatible parser such as Node's URL or fetch. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N scores 7.5 and is internally consistent for this class: network-reachable, low complexity, no privileges, no user interaction, with a pure integrity impact (security-control bypass) and no direct confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses fast-uri to validate that a user-supplied webhook or redirect URL does not point at internal/loopback hosts, then fetches the URL with Node's fetch. An attacker submits a URL whose host is an internationalized (Unicode) form that fast-uri leaves un-canonicalized and judges allowed, but which Node's URL parser canonicalizes to an internal target, sending the server's request to an attacker-chosen internal host (SSRF). …
Remediation Upgrade fast-uri to the patched release for your line: Vendor-released patch 3.1.3 for the 3.x line, or 4.0.1 for the 4.x line, per the advisory at https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit Node.js applications and dependency manifests to identify use of fast-uri versions 2.3.1-3.1.2 or 4.0.0; prioritize systems with outbound URL enforcement or SSRF protections. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected

Share

EUVD-2026-40093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy