Description
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Published: 2026-06-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

fast-uri versions from 2.3.1 through 3.1.2 and 4.0.0 do not correctly canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The helper function called for IDN conversion is missing on the global URL constructor, leaving the host in its original Unicode form. As a result, the normalize() and equal() methods of fast-uri differ from a WHATWG-compatible URL parser. This host confusion allows attackers to craft URLs that resolve to different hosts under fast-uri and Node's native URL implementation. Applications that first enforce host-based policy using fast-uri before making an outbound request with Node's URL or fetch can be bypassed, potentially enabling SSRF or other malicious redirection attacks.

Affected Systems

The affected product is fast-uri provided by the fast-uri project. Vulnerable versions are 2.3.1 through 3.1.2 inclusive and 4.0.0. Any application that relies on fast-uri for host validation, denylists, loopback filtering, redirect checks, or outbound proxy routing may unknowingly allow policy bypass.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, but no EPSS score is available and it is not listed in the CISA KEV catalog. Attackers can exploit this weakness by supplying a crafted Unicode domain that fast-uri interprets differently from Node's native parser, thereby evading host-based restrictions imposed by the application. Exploitation requires network access to the vulnerable service and the ability to supply user-controlled URLs; once bypassed, the attacker could reach internal resources or redirect traffic to a malicious server.

Generated by OpenCVE AI on June 29, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-uri to the latest fixed release (3.1.3 for the 3.x series or 4.0.1 for the 4.x series).
  • When an upgrade is not immediately possible, enforce host-based policy using the same URL parser that will be used for the actual HTTP request, ensuring consistent host canonicalization.
  • As an additional temporary measure, reject any URLs that contain non-ASCII host characters before performing host validation.

Generated by OpenCVE AI on June 29, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Fast-uri
Fast-uri fast-uri
Vendors & Products Fast-uri
Fast-uri fast-uri

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Title fast-uri vulnerable to host confusion via failed IDN canonicalization
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Fast-uri Fast-uri
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-29T13:53:31.092Z

Reserved: 2026-06-29T10:37:49.461Z

Link: CVE-2026-13676

cve-icon Vulnrichment

Updated: 2026-06-29T13:53:26.275Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses