CVE-2026-13676
Received Received - Intake

fast-uri IDN Hostname Canonicalization Bypass

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: openjs

Description
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13676
EUVD
EUVD-2026-40093

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
fast-uri fast-uri From 2.3.1 (inc) to 3.1.2 (inc)
fast-uri fast-uri 3.1.3
fast-uri fast-uri 4.0.0
fast-uri fast-uri 4.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in fast-uri versions 2.3.1 through 3.1.2 and 4.0.0, where the library fails to properly canonicalize Unicode (IDN) hostnames for HTTP-family URLs. This happens because a helper function expected by the global WHATWG URL constructor is missing, causing the host to remain in its original Unicode form instead of being normalized.

As a result, functions like normalize() and equal() return values that differ from those of a WHATWG-compatible URL parser such as Node's URL or fetch. This discrepancy can cause applications that use fast-uri to enforce host-based policies (like denylists, loopback filtering, redirect validation, or outbound proxy routing) to be bypassed, since the same URL input resolves to different hosts depending on the parser used.

The issue has been patched in fast-uri versions 3.1.3 and 4.0.1.

Compliance Impact

The vulnerability in fast-uri causes discrepancies in hostname canonicalization, which can lead to bypassing host-based policies such as denylists, loopback filtering, redirect validation, and outbound proxy routing. This can result in unintended destinations being accessed or unauthorized network communications occurring.

Such behavior may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access, transmission, and security policies. If host-based policies are bypassed, it could lead to unauthorized data exposure or transmission, violating confidentiality and integrity requirements mandated by these regulations.

To mitigate these risks and maintain compliance, it is recommended to upgrade fast-uri to patched versions (3.1.3 or 4.0.1) or enforce host policies using the same URL parser as the actual request, or reject non-ASCII hosts before policy checks.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass host-based security policies enforced by applications using fast-uri. Because fast-uri does not canonicalize Unicode hostnames correctly, URLs that should be blocked or filtered might be accepted, leading to unintended destinations.

Such bypasses can affect denylists, loopback filtering, redirect validation, and outbound proxy routing, potentially allowing malicious URLs to evade security controls.

The CVSS score of 7.5 indicates a high severity with an integrity impact, meaning attackers can cause incorrect behavior without needing privileges or user interaction.

Detection Guidance

This vulnerability involves fast-uri failing to canonicalize Unicode (IDN) hostnames properly, causing discrepancies between fast-uri and Node's WHATWG URL parser. Detection involves identifying URLs where the hostnames remain in Unicode form instead of being normalized to ASCII.

To detect this on your system, you can test URLs with Unicode hostnames using fast-uri's parse() or normalize() functions and compare the results with Node's built-in URL parser or fetch(). If the hostnames differ, the vulnerability may be present.

  • Use a script or command to parse a URL with Unicode hostnames using fast-uri and Node's URL parser, then compare the outputs.
  • Example Node.js commands:
  • 1. Parse URL with fast-uri: `const fastUri = require('fast-uri'); console.log(fastUri.parse('http://127。0。0。1/'));`
  • 2. Parse URL with Node's URL parser: `console.log(new URL('http://127。0。0。1/').host);`
  • If fast-uri returns the host in Unicode form (e.g., '127。0。0。1') but Node's URL parser returns the ASCII normalized form (e.g., '127.0.0.1'), the vulnerability exists.
Mitigation Strategies

Immediate mitigation steps include upgrading fast-uri to a patched version and applying workarounds to avoid policy bypass.

  • Upgrade fast-uri to version 3.1.3 if using the 3.x line or 4.0.1 if using the 4.x line, where the vulnerability is patched.
  • Enforce host-based policies using the same URL parser that will be used for the actual request, such as Node's WHATWG URL parser, to avoid discrepancies.
  • Alternatively, reject URLs with non-ASCII hostnames before performing policy checks to prevent bypass.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart