VYPR

npm package

fast-uri

pkg:npm/fast-uri

Vulnerabilities (2)

  • CVE-2026-6322HigMay 5, 2026
    affected < 3.1.2fixed 3.1.2

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 3.1.1fixed 3.1.1

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize