CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cna.openjsf.org/security-advisories.html	Vendor Advisory
https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openjsf:fast-uri:*:*:*:*:*:node.js:*:*

History

12 May 2026, 18:54

Type	Values Removed	Values Added
References	~~() https://cna.openjsf.org/security-advisories.html -~~	() https://cna.openjsf.org/security-advisories.html - Vendor Advisory
References	~~() https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 -~~	() https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 - Vendor Advisory
CPE		cpe:2.3:a:openjsf:fast-uri::::::node.js::*
First Time		Openjsf fast-uri Openjsf

04 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-04 20:16

Updated : 2026-05-12 18:54

NVD link : CVE-2026-6321

Mitre link : CVE-2026-6321

CVE.ORG link : CVE-2026-6321

JSON object : View

Products Affected

openjsf

fast-uri

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10