Description
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
Published: 2026-05-08
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The uriparser library’s EqualsUri function incorrectly treats distinct URIs as equal. This oversight lets an attacker supply a crafted URI that the function believes matches an authentic one, potentially bypassing security checks that depend on accurate URI comparison. The flaw is classified as CWE‑670, exposing a misimplementation of equality checks that erodes the reliability of URI validation.

Affected Systems

The weakness exists in the uriparser library distributed by uriparser:uriparser before version 1.0.2. All operating systems and applications that link against any pre‑1.0.2 release are impacted. Versions 1.0.2 and newer contain the fix.

Risk and Exploitability

The CVSS score of 2.9 indicates low severity. No EPSS data or KEV listing suggests that exploitation likelihood is currently low. Based on the description, it is inferred that an attacker could supply a crafted URI to any application that invokes EqualsUri for direct comparison – this could occur through crafted input, redirects, or API calls. With no publicly documented proof‑of‑concept, the practical risk is limited, but untrusted input into the vulnerable function remains a compliance concern.

Generated by OpenCVE AI on May 8, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the uriparser library to version 1.0.2 or newer.
  • Replace any use of EqualsUri with a stricter comparison that validates at least scheme, host, port, path, query, and fragment.
  • Review application logic that passes untrusted URIs to EqualsUri and apply proper input sanitization.

Generated by OpenCVE AI on May 8, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T12:49:01.200Z

Reserved: 2026-05-08T07:15:27.989Z

Link: CVE-2026-44928

cve-icon Vulnrichment

Updated: 2026-05-08T12:48:56.361Z

cve-icon NVD

Status : Received

Published: 2026-05-08T08:16:44.153

Modified: 2026-05-08T08:16:44.153

Link: CVE-2026-44928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T09:00:05Z

Weaknesses