CVE-2026-13676

Name of the Vulnerable Software and Affected Versions fast-uri versions 2.3.1 through 3.1.2 fast-uri version 4.0.0

Description The software fails to canonicalize Unicode Internationalized Domain Names (IDN) for HTTP-family URLs. This occurs because the IDN conversion path utilizes a helper missing from the global URL constructor, causing the host to remain in its original Unicode form. Consequently, the normalize() and equal() functions return values that differ from a WHATWG-compatible URL parser. This can lead to host confusion, allowing attackers to bypass host-based policies such as denylists, loopback filtering, redirect validation, or outbound proxy routing when the application uses fast-uri for validation but passes the URL to Node's URL or fetch for the actual request.

Recommendations Upgrade to version 3.1.3 for the 3.x line. Upgrade to version 4.0.1 for the 4.x line. Enforce host policy using the same URL parser used for the actual request. Reject non-ASCII hosts before performing policy checks.