Home

Description

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-04 | Updated 2026-05-05 | Assigner openjs




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 3.1.1
affected

3.1.1 (semver)
unaffected

Credits

Jvr reporter

Matteo Collina remediation developer

Ulises Gascón remediation reviewer

KaKa remediation reviewer

References

github.com/...st-uri/security/advisories/GHSA-q3j6-qgpj-74h6

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-6321)

nvd.nist.gov (CVE-2026-6321)

Download JSON