Intel

AIKIDO-2026-10784

fast-uri is vulnerable to Path Traversal

Path TraversalCVE-2026-6321 Published May 8, 2026

75

High Risk

This Affects:

JSfast-uri
0.0.1 - 3.1.0
Fixed in 3.1.1
Are you affected? Scan for Free

TL;DR

normalize() and equal() decoded percent-encoded slash and dot segments before dot-segment removal, so encoded sequences could collapse paths the same way literal separators would. Distinct URIs could normalize to the same path and compare equal, weakening checks that rely on normalization or equality over attacker-controlled URLs. The fix preserves reserved percent-escapes in path handling so policy based on normalized paths cannot be bypassed that way.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

fast-uri is vulnerable to Path Traversal in versions 0.0.1 - 3.1.0.

How to fix this

Upgrade the fast-uri library to the patch version.

Links

Other

cna.openjsf.org/security-advisories.html
https://cna.openjsf.org/security-advisories.html
access.redhat.com/errata/RHSA-2026:19238
https://access.redhat.com/errata/RHSA-2026:19238
access.redhat.com/errata/RHSA-2026:20338
https://access.redhat.com/errata/RHSA-2026:20338
access.redhat.com/errata/RHSA-2026:21338
https://access.redhat.com/errata/RHSA-2026:21338
access.redhat.com/errata/RHSA-2026:24473
https://access.redhat.com/errata/RHSA-2026:24473
access.redhat.com/errata/RHSA-2026:24766
https://access.redhat.com/errata/RHSA-2026:24766
access.redhat.com/errata/RHSA-2026:24866
https://access.redhat.com/errata/RHSA-2026:24866
access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24977
access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:25089
access.redhat.com/errata/RHSA-2026:25123
https://access.redhat.com/errata/RHSA-2026:25123
access.redhat.com/errata/RHSA-2026:26214
https://access.redhat.com/errata/RHSA-2026:26214
access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:26234
access.redhat.com/errata/RHSA-2026:26416
https://access.redhat.com/errata/RHSA-2026:26416
access.redhat.com/errata/RHSA-2026:26420
https://access.redhat.com/errata/RHSA-2026:26420
access.redhat.com/errata/RHSA-2026:34342
https://access.redhat.com/errata/RHSA-2026:34342
access.redhat.com/errata/RHSA-2026:37385
https://access.redhat.com/errata/RHSA-2026:37385
access.redhat.com/security/cve/CVE-2026-6321
https://access.redhat.com/security/cve/CVE-2026-6321
bugzilla.redhat.com/show_bug.cgi?id=2466582
https://bugzilla.redhat.com/show_bug.cgi?id=2466582
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6321.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6321.json