CVE-2026-6321: CVE-2026-6321: Path Traversal in fast-uri via Improper Normalization Order

CVE-2026-6321: Path Traversal in fast-uri via Improper Normalization Order

Vulnerability ID: CVE-2026-6321
CVSS Score: 7.5
Published: 2026-05-08

The fast-uri library (versions ≤ 3.1.0) contains a high-severity path traversal vulnerability due to an order-of-operations flaw during URI normalization. The library incorrectly decodes percent-encoded path separators (%2F) and dot segments (%2E) prior to applying dot-segment removal algorithms, allowing attackers to bypass path-based access controls and filters.

TL;DR

fast-uri ≤ 3.1.0 decodes percent-encoded URI characters before running path normalization algorithms. This allows attackers to use payloads like %2e%2e to bypass security filters and perform path traversal attacks. Upgrade to version 3.1.1 to implement context-aware decoding.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22
• Attack Vector: Network
• CVSS Score: 7.5 (High)
• EPSS Score: 0.00030
• Exploit Status: Proof of Concept Available
• CISA KEV: Not Listed

Affected Systems

• fast-uri <= 3.1.0
• Node.js applications utilizing fast-uri for request validation
• API Gateways and proxies dependent on fast-uri for routing
• fast-uri: <= 3.1.0 (Fixed in: 3.1.1)

Code Analysis

Commit: 876ce79

Fix path traversal by introducing context-aware percent-encoding and path normalization.

Exploit Details

• Vulnerability Report Example Payload: Proof of concept payload demonstrating path filter bypass using %2e%2e.

Mitigation Strategies

• Upgrade fast-uri to version 3.1.1 or higher.
• Deploy WAF rules to block URIs containing percent-encoded dot (%2e) or slash (%2f) sequences.
• Ensure path-based authorization checks occur on the fully normalized URI, not the raw input.

Remediation Steps:

1. Audit application dependencies using npm audit or yarn audit to identify instances of fast-uri <= 3.1.0.
2. Update the package.json file to require fast-uri version 3.1.1.
3. Run the package manager update command to fetch the patched library and regenerate the lockfile.
4. Deploy the updated application and monitor logs for previously blocked traversal attempts.

References

• Official fast-uri GitHub Advisory
• OpenJS Foundation Advisories
• CVE Record for CVE-2026-6321
• Patch Commit

---

Read the full report for CVE-2026-6321 on our website for more details including interactive diagrams and full exploit analysis.