fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NOpenjsf Fast Uri
APPOpenjsf< 3.1.1
Related vulnerabilities
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family U...
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitte...
WebdriverIO: command injection w orkiestracji testów prowadzący do RCE
nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the con...
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is v...