CVE-2026-6321 - Vulnerability Details

Description

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

Published: 2026-05-04

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug in fast‑uri causes percent‑encoded slashes and dot segments to be decoded before the standard dot‑segment removal routine runs. This means attacker‑controlled URLs containing encoded pathname components can resolve to a different file system location than the one they appear to target. If an application uses fast‑uri to enforce a path‑based restriction or to compare URLs, it can be tricked into believing a request is confined to an allowed area while in fact it points elsewhere. The vulnerability is a typical example of CWE‑22, a path traversal weakness that can undermine confidentiality and integrity of protected resources.

Affected Systems

Vendors affected are applications that depend on the fast‑uri library (fast‑uri:fast‑uri). All releases up to and including version 3.1.0 are vulnerable. The recommended fix is to update to version 3.1.1 or later. Any deployment that performs URI normalization or comparison against an attacker‑controlled string with an allowed‑prefix policy should review the library version and usage.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the lack of an EPSS score means the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a specially crafted URL to an application that performs fast‑uri normalization or equality checks on untrusted input. Once exploited, the attacker can have their requested resource map to an unintended location, potentially giving them unauthorized access to protected files or data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fast-uri

unaffected

Version	Status	Constraints
`0`	affected	< 3.1.1
`3.1.1`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the fast‑uri library to version 3.1.1 or higher to apply the vendor‑provided fix.
Verify that all places in the codebase using fast‑uri for path validation or comparison are updated to the new version, or replace them with an alternative library that properly handles percent‑encoded paths before normalization.
After upgrading, conduct targeted tests against known path‑traversal patterns to confirm that URLs with percent‑encoded dot segments no longer resolve to disallowed locations.

Generated by OpenCVE AI on May 4, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6

History

Mon, 04 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Title		fast-uri vulnerable to path traversal via percent-encoded dot segments
Weaknesses		CWE-22
References		https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-05-04T19:31:57.253Z

Updated: 2026-05-04T19:31:57.253Z

Reserved: 2026-04-14T20:23:01.545Z

Link: CVE-2026-6321

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T20:16:20.950

Modified: 2026-05-04T20:16:20.950

Link: CVE-2026-6321

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T21:30:09Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object