fast-uri vulnerable to path traversal and host confusion

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in fast-uri, affecting versions <= 3.1.0 for CVE-2026-6321 and versions <= 3.1.1 for CVE-2026-6322. These vulnerabilities allow for path traversal and host confusion via percent-encoded path separators and authority delimiters. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed or steered to a different authority than the input appeared to specify. This poses a significant risk to business applications that rely on URL normalization and validation, potentially leading to data exposure, unauthorized access, or other malicious activities.[emaillocker id="1283"]

• CVE-2026-6321 with a CVSS score of 7.5 – fast-uri decodes percent-encoded path separators and dot segments before applying dot-segment removal, allowing for path traversal. An attacker can bypass path-based policy by normalizing a path that appears confined under an allowed prefix to a different location.

• CVE-2026-6322 with a CVSS score of 7.5 – fast-uri decodes percent-encoded authority delimiters inside the host component and re-emits them as raw delimiters, allowing for host confusion. An attacker can steer an application to a different authority than the input appeared to specify by combining an allowed domain, an encoded at-sign, and a different domain.

The identified vulnerabilities pose a high risk to business applications that rely on URL normalization and validation. If exploited, they may lead to unauthorized access, data exposure, or other malicious activities, potentially resulting in financial loss, reputational damage, or compromised customer trust.

RECOMMENDATION:

We recommend you to update fast-uri to version 3.1.2 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-q3j6-qgpj-74h6
https://github.com/advisories/GHSA-v39h-62p7-jpjc