Intel

AIKIDO-2026-507986

fast-uri is vulnerable to Host Confusion

Host ConfusionCVE-2026-13676 Published Jul 1, 2026

75

High Risk

This Affects:

JSfast-uri
2.3.1 - 3.1.2
Fixed in 3.1.3
4.0.0 - 4.0.0
Fixed in 4.0.1
Are you affected? Scan for Free

TL;DR

fast-uri's host canonicalization for Unicode/IDN values was fixed to prevent security bypasses caused by inconsistent ASCII/Unicode host handling. The patch changes normalization to use WHATWG URL parsing (new URL('http://' + parsed.host).hostname) and adds tests to ensure correct ASCII/punycode outputs.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

fast-uri is vulnerable to Host Confusion in versions 2.3.1 - 3.1.2 and 4.0.0 - 4.0.0.

How to fix this

Upgrade the fast-uri library to the patch version.