High severity7.5NVD Advisory· Published May 4, 2026· Updated May 12, 2026

CVE-2026-6321

Description

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fast-urinpm	< 3.1.1	3.1.1

Affected products

Fastify/Fast Uriinferred
Range: <=3.1.0
Openjsf/Fast Uri
cpe:2.3:a:openjsf:fast-uri:*:*:*:*:*:node.js:*:*
Range: <3.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cna.openjsf.org/security-advisories.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-q3j6-qgpj-74h6ghsaADVISORY
github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-6321ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000