CVE-2026-6321
Received Received - Intake
Path Normalization Bypass in fast-uri Library

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: openjs

Description
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-6321
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fast-uri fast-uri to 3.1.0 (inc)
fast-uri fast-uri 3.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the fast-uri library versions up to 3.1.0. The issue is that the library decodes percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Because encoded path data is treated like actual slashes and parent-directory references, different URIs that should be distinct can end up collapsing into the same normalized path.

As a result, applications that rely on normalizing or comparing attacker-controlled URLs to enforce path-based policies can be bypassed. An attacker can craft a path that appears to be confined under an allowed prefix but actually normalizes to a different location, potentially circumventing security controls.


How can this vulnerability impact me? :

The vulnerability can allow attackers to bypass path-based security policies by exploiting the way URLs are normalized. This means that an attacker could access resources or perform actions that should be restricted by the application’s URL path controls.

Since the CVSS score indicates a high impact on integrity (I:H) with no impact on confidentiality or availability, the main risk is unauthorized modification or manipulation of data or application behavior through crafted URLs.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update fast-uri to version 3.1.1 or later, as versions up to 3.1.0 are affected.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart