CVE-2026-6321
Published: 04 May 2026
Summary
CVE-2026-6321 is a high-severity Path Traversal (CWE-22) vulnerability in Openjsf Fast-Uri. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6321 is a path normalization vulnerability in the fast-uri JavaScript library, affecting versions up to and including 3.1.0. The issue arises because the library's normalize() and equal() functions decode percent-encoded path separators and dot segments before applying dot-segment removal. This causes encoded path data to be treated as real slashes and parent-directory references, allowing distinct URIs to collapse onto the same normalized path. Applications relying on fast-uri to normalize or compare attacker-controlled URLs for path-based access control policies are vulnerable to bypasses where a seemingly confined path normalizes to an unintended location. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By crafting a URL with percent-encoded path separators or dot segments (such as encoded slashes or "../" sequences), an attacker can trick the normalization process into resolving to a path outside the intended prefix. This enables bypass of security policies that check URLs against allowed directories, potentially allowing unauthorized access to sensitive files or endpoints in applications using fast-uri for URL handling.
Advisories from the OpenJS Foundation CNA and the fast-uri GitHub security advisory recommend updating to version 3.1.1 or later, where the decoding order is fixed to prevent premature interpretation of encoded segments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27129
Vulnerability details
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications…
more
that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path normalization bypass (CWE-22) in a URI library directly enables remote exploitation of public-facing applications to bypass directory-based access controls and reach unauthorized files/endpoints.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path normalization flaw in fast-uri versions <=3.1.0 by requiring timely identification, reporting, and patching to version 3.1.1 or later.
Requires validation of attacker-controlled URL inputs for proper syntax and semantics, preventing percent-encoded path separators and dot segments from bypassing normalization.
Enforces approved access authorizations for path-based policies, mitigating bypasses where faulty normalization allows unauthorized access to restricted locations.