CVE-2026-6321
Path Traversal vulnerability in fast-uri (npm)
What is CVE-2026-6321 About?
This path traversal vulnerability in `fast-uri` allows percent-encoded path separators and dot segments to be decoded before normalization. This can lead to distinct URIs collapsing into the same normalized path, enabling attackers to bypass path-based security policies.
Affected Software
Technical Details
The vulnerability in fast-uri v3.1.0 and earlier arises because the library decodes percent-encoded path separators (%2F) and dot segments (%2E) before applying dot-segment removal in normalize() and equal() functions. This pre-decoding causes encoded path data to be treated as actual path delimiters (/) or parent directory references (..). Consequently, a URI that appears to be confined under an allowed prefix (e.g., http://example.com/public/%2e%2e/admin) can normalize to a completely different, potentially unauthorized, location (http://example.com/admin), thereby bypassing security checks that rely on normalized paths.
What is the Impact of CVE-2026-6321?
Successful exploitation may allow attackers to bypass path-based security policies, access unauthorized resources, or potentially execute unintended operations by manipulating URI normalization.
What is the Exploitability of CVE-2026-6321?
Exploitation requires an attacker to supply a crafted URI containing percent-encoded path separators or dot segments to an application using fast-uri for path normalization or comparison. No authentication or special privileges are needed beyond the ability to submit URIs. This is a remote exploitation scenario. The complexity is low as it leverages a specific behavior of the library. The risk factor is increased in applications that enforce access control or resource restrictions based on URI paths and do not properly sanitize or validate incoming URLs before fast-uri processes them.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-6321?
Available Upgrade Options
- fast-uri
- <3.1.1 → Upgrade to 3.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
- https://osv.dev/vulnerability/GHSA-q3j6-qgpj-74h6
- https://cna.openjsf.org/security-advisories.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-6321
- https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
- https://cna.openjsf.org/security-advisories.html
- https://github.com/fastify/fast-uri
What are Similar Vulnerabilities to CVE-2026-6321?
Similar Vulnerabilities: CVE-2023-28101 , CVE-2022-24765 , CVE-2021-36069 , CVE-2020-28498 , CVE-2019-10758
