CVE-2026-6321
HIGHfast-uri vulnerable to path traversal via percent-encoded dot segments
Title source: cnaDescription
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
References (20)
Core 20
Core References
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:19238
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:20338
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:21338
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:24473
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:24766
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:24866
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:24977
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:25089
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:25123
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26214
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26234
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26416
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26420
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-6321
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2466582
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34342
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:37385
Scores
CVSS v3
7.5
EPSS
0.0052
EPSS Percentile
40.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
fast-uri/fast-uri
< 3.1.1
fast-uri/fast-uri
3.1.1
npm/fast-uri
0 - 3.1.1npm
openjsf/fast-uri
< 3.1.1
Published
May 04, 2026
Tracked Since
May 05, 2026