Skip to main content

Fast Uri

3 CVEs product

Monthly

CVE-2026-13676 HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-6322 npm HIGH POC PATCH GHSA This Week

Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. Applications using fast-uri to validate URLs against allowlists or for redirect validation can be tricked into connecting to attacker-controlled domains. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor patch released in version 3.1.2.

Information Disclosure Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6321 npm HIGH POC PATCH GHSA This Week

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Path Traversal Fast Uri
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remote attackers defeat denylists, loopback filters, redirect validation, and SSRF/proxy-routing controls by supplying Unicode (IDN) hostnames. Because fast-uri's IDN path invokes a non-existent helper on the global URL constructor, it leaves the host in raw Unicode form while normalize() and equal() report a host that differs from what Node's WHATWG URL or fetch ultimately resolve, producing a parser-differential bypass. No public exploit is identified at time of analysis, but the bypass is trivially reproducible and primarily enables SSRF-style integrity attacks.

Authentication Bypass Fast Uri
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. Applications using fast-uri to validate URLs against allowlists or for redirect validation can be tricked into connecting to attacker-controlled domains. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor patch released in version 3.1.2.

Information Disclosure Fast Uri
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.

Path Traversal Fast Uri
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy