Cyber Resilience

CVE-2026-6321

HighUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0005 16.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6321 is a high-severity Path Traversal (CWE-22) vulnerability in Openjsf Fast-Uri. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6321 is a path normalization vulnerability in the fast-uri JavaScript library, affecting versions up to and including 3.1.0. The issue arises because the library's normalize() and equal() functions decode percent-encoded path separators and dot segments before applying dot-segment removal. This causes encoded path data to be treated as real slashes and parent-directory references, allowing distinct URIs to collapse onto the same normalized path. Applications relying on fast-uri to normalize or compare attacker-controlled URLs for path-based access control policies are vulnerable to bypasses where a seemingly confined path normalizes to an unintended location. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By crafting a URL with percent-encoded path separators or dot segments (such as encoded slashes or "../" sequences), an attacker can trick the normalization process into resolving to a path outside the intended prefix. This enables bypass of security policies that check URLs against allowed directories, potentially allowing unauthorized access to sensitive files or endpoints in applications using fast-uri for URL handling.

Advisories from the OpenJS Foundation CNA and the fast-uri GitHub security advisory recommend updating to version 3.1.1 or later, where the decoding order is fixed to prevent premature interpretation of encoded segments.

EU & UK References

Vulnerability details

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications…

more

that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path normalization bypass (CWE-22) in a URI library directly enables remote exploitation of public-facing applications to bypass directory-based access controls and reach unauthorized files/endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6322Same product: Openjsf Fast-Uri
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22

Affected Assets

openjsf
fast-uri
≤ 3.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path normalization flaw in fast-uri versions <=3.1.0 by requiring timely identification, reporting, and patching to version 3.1.1 or later.

prevent

Requires validation of attacker-controlled URL inputs for proper syntax and semantics, preventing percent-encoded path separators and dot segments from bypassing normalization.

prevent

Enforces approved access authorizations for path-based policies, mitigating bypasses where faulty normalization allows unauthorized access to restricted locations.

References