7.5

CVE-2026-13676

fast-uri vulnerable to host confusion via failed IDN canonicalization

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenjsfFast-uri SwPlatformnode.js Version >= 2.3.1 < 3.1.3
OpenjsfFast-uri SwPlatformnode.js Version >= 4.0.0 < 4.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.191
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ce714d77-add3-4f53-aff5-83d477b104bb 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

https://cna.openjsf.org/security-advisories.html
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2494197
Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json
Third Party Advisory
https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6
Patch
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-13676
Third Party Advisory