CVE-2026-6321

Name of the Vulnerable Software and Affected Versions fast-uri versions prior to 3.1.1

Description The normalize() and equal() functions decode percent-encoded path separators and dot segments before performing dot-segment removal. This causes encoded path data to be treated as actual slashes and parent-directory references, allowing distinct URIs to collapse into the same normalized path. Consequently, applications using these functions to enforce path-based policies on attacker-controlled URLs may be bypassed, as a path appearing confined under an allowed prefix can normalize to a different location.

Recommendations Update to version 3.1.1 or later.