Uriparser
by Uriparser
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42371 | Med | 0.26 | 5.1 | 0.00 | Apr 27, 2026 | uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes. | ||
| CVE-2025-67899 | Low | 0.19 | 2.9 | 0.00 | Dec 14, 2025 | uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. | ||
| CVE-2026-44928 | Low | 0.12 | 2.9 | 0.00 | May 8, 2026 | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | ||
| CVE-2026-44927 | Low | 0.12 | 2.9 | 0.00 | May 8, 2026 | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | ||
| CVE-2024-34403 | 0.00 | — | 0.01 | May 3, 2024 | An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string. | |||
| CVE-2024-34402 | 0.00 | — | 0.01 | May 3, 2024 | An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow. | |||
| CVE-2021-46141 | 0.00 | — | 0.01 | Jan 6, 2022 | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. | |||
| CVE-2021-46142 | 0.00 | — | 0.01 | Jan 6, 2022 | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. | |||
| CVE-2018-20721 | 0.00 | — | 0.02 | Jan 16, 2019 | URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address containing an embedded IPv4 address, such as a "//[::44.1" address. | |||
| CVE-2018-19198 | 0.00 | — | 0.02 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts. | |||
| CVE-2018-19199 | 0.00 | — | 0.02 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication. | |||
| CVE-2018-19200 | 0.00 | — | 0.02 | Nov 12, 2018 | An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function. |
- risk 0.26cvss 5.1epss 0.00
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
- risk 0.19cvss 2.9epss 0.00
uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
- risk 0.12cvss 2.9epss 0.00
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
- risk 0.12cvss 2.9epss 0.00
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
- CVE-2024-34403May 3, 2024risk 0.00cvss —epss 0.01
An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.
- CVE-2024-34402May 3, 2024risk 0.00cvss —epss 0.01
An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.
- CVE-2021-46141Jan 6, 2022risk 0.00cvss —epss 0.01
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.
- CVE-2021-46142Jan 6, 2022risk 0.00cvss —epss 0.01
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.
- CVE-2018-20721Jan 16, 2019risk 0.00cvss —epss 0.02
URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address containing an embedded IPv4 address, such as a "//[::44.1" address.
- CVE-2018-19198Nov 12, 2018risk 0.00cvss —epss 0.02
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts.
- CVE-2018-19199Nov 12, 2018risk 0.00cvss —epss 0.02
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication.
- CVE-2018-19200Nov 12, 2018risk 0.00cvss —epss 0.02
An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function.