logo

Database

Improper type assignation In node-ajv

Description

fast-uri vulnerable to path traversal via percent-encoded dot segments

Impact

fast-uri v3.1.0 and earlier decodes percent-encoded path separators (%2F) and dot segments (%2E) before applying dot-segment removal in normalize() and equal(). This makes encoded path data behave like real / and .., so distinct URIs collapse onto the same normalized path.

For example, http://example.com/public/%2e%2e/admin normalizes to http://example.com/admin, and equal() considers them the same URI.

Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.

Patches

Upgrade to fast-uri >= 3.1.1.

Workarounds

None. Upgrade to the patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-63212. NVD-2026-63213. OSV-DEBIAN-2026-63214. OSV-2026-63215. GHSA-q3j6-qgpj-74h66. GCVE-2026-63217. SECURITY-TRACKER-CVE-2026-6321

References

1. https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h62. https://cna.openjsf.org/security-advisories.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.