CVE-2026-6321

CVE-2026-6321 is a path normalization vulnerability in the fast-uri JavaScript library, affecting versions up to and including 3.1.0. The issue arises because the library's normalize() and equal() functions decode percent-encoded path separators and dot segments before applying dot-segment removal. This causes encoded path data to be treated as real slashes and parent-directory references, allowing distinct URIs to collapse onto the same normalized path. Applications relying on fast-uri to normalize or compare attacker-controlled URLs for path-based access control policies are vulnerable to bypasses where a seemingly confined path normalizes to an unintended location. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By crafting a URL with percent-encoded path separators or dot segments (such as encoded slashes or "../" sequences), an attacker can trick the normalization process into resolving to a path outside the intended prefix. This enables bypass of security policies that check URLs against allowed directories, potentially allowing unauthorized access to sensitive files or endpoints in applications using fast-uri for URL handling.

Advisories from the OpenJS Foundation CNA and the fast-uri GitHub security advisory recommend updating to version 3.1.1 or later, where the decoding order is fixed to prevent premature interpretation of encoded segments.