HIGH🇬🇧 English

CVE-2026-13676

CVSS 7.5v3.1pub. 2026-06-29upd. 2026-07-02

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Openjsf Fast Uri

    APP
    Openjsf
    2.3.1 – 3.1.3 (bez)4.0.0 – 4.0.1 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-6322HIGH7.5ten sam produkt

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitte...

CVE-2026-6321HIGH7.5ten sam produkt

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its n...

CVE-2026-25244CRITICAL9.8PL ✓ten sam vendor

WebdriverIO: command injection w orkiestracji testów prowadzący do RCE

CVE-2026-10796HIGH7.5ten sam vendor

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the con...

CVE-2025-57349HIGH7.5ten sam vendor

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is v...