CVE-2026-42371
Numeric Truncation Vulnerability in uriparser <1.0.1 Affects URI Handling
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uriparser | uriparser | to 1.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42371 is a vulnerability in the uriparser library, specifically in the CompareRange function. The issue arises because the function converts pointer-difference lengths to an int type, which on 64-bit platforms can truncate large range lengths. This truncation causes the function to incorrectly treat ranges of different lengths as equal before comparing their content.
This improper handling of range-length values can lead to incorrect equality results and potential security issues when applications accept URIs with very large lengths (in gigabytes). The vulnerability was fixed by modifying the CompareRange function to compare the full range lengths without truncation.
How can this vulnerability impact me? :
This vulnerability can impact applications that use the uriparser library to handle very large URIs. Because of the numeric truncation, the library might incorrectly consider two different URI ranges as equal, potentially leading to incorrect processing or validation of URIs.
Such incorrect URI comparisons could cause security issues, for example by bypassing checks that rely on accurate URI comparisons, which might lead to denial of service or other unexpected behavior in applications.
The CVSS score of 5.1 with a high attack complexity and local attack vector indicates a moderate severity impact primarily affecting availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of the uriparser library in use and testing the behavior of the CompareRange function with very large URI inputs.
Specifically, one can check if the uriparser version is before 1.0.1, as versions prior to this contain the numeric truncation flaw.
A practical approach is to run regression tests that attempt to compare URI ranges with lengths in the gigabyte range, which would cause crashes or incorrect results on vulnerable versions.
Commands to detect the vulnerability could include:
- Checking the installed uriparser version, e.g., `pkg-config --modversion uriparser` or inspecting the package manager.
- Running or adapting the regression test from the fix pull request that exercises large range comparisons to see if the vulnerable behavior occurs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the uriparser library to version 1.0.1 or later, where the numeric truncation issue in the CompareRange function has been fixed.
If upgrading is not immediately possible, avoid processing URIs with extremely large lengths (in the gigabyte range) to prevent triggering the truncation flaw.
Additionally, review and apply any patches or commits related to the fix, such as those correcting the truncation in CompareRange and adding regression tests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-42371 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.