VYPR

Fast Uri

by Fastify

Source repositories

CVEs (2)

  • CVE-2026-6322HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a…

  • CVE-2026-6321HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.01

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same…