CVE-2026-6321 Overview
CVE-2026-6321 is a path traversal vulnerability [CWE-22] in the fast-uri JavaScript library maintained under the Fastify project. The flaw resides in the normalize() and equal() functions, which decode percent-encoded path separators and dot segments before applying dot-segment removal. Encoded sequences such as %2F and %2E%2E are treated as real slashes and parent-directory references. Distinct URIs collapse onto the same normalized path, breaking path-based security policy. Versions <= 3.1.0 are affected, and version 3.1.1 contains the fix.
Critical Impact
Attackers can bypass URL allowlists and prefix-based access controls by crafting URIs that appear confined under a permitted path but normalize to a different location.
Affected Products
- fast-uri versions <= 3.1.0
- Fastify applications and plugins that depend on fast-uri for URI parsing
- Node.js services using fast-uri.normalize() or fast-uri.equal() for policy enforcement
Discovery Timeline
- 2026-05-04 - CVE-2026-6321 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-6321
Vulnerability Analysis
The fast-uri library provides URI parsing and normalization for the Fastify ecosystem. The normalize() and equal() functions perform percent-decoding before executing RFC 3986 dot-segment removal. This ordering inverts the canonicalization sequence required by the standard. Encoded path separators surface as literal / characters, and encoded .. sequences become traversal tokens after the safety pass has already executed.
Applications relying on these functions to enforce path-based policy compare a URI against an allowed prefix. A request such as /allowed/%2E%2E/secret passes a naive prefix check because the literal string begins with /allowed/. After normalize() decodes the encoded segments, the path resolves to /secret, outside the intended boundary. The same flaw lets two semantically different URIs return true from equal(), undermining cache keys and authorization checks.
Root Cause
The root cause is incorrect operation ordering inside the URI canonicalization pipeline. RFC 3986 specifies that dot-segment removal must operate on already-decoded path components, but the implementation performs decoding and removal in a sequence that allows encoded traversal data to slip past the segment filter.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker submits a crafted URL containing percent-encoded path separators (%2F) or encoded dot segments (%2E%2E or .%2E) to any endpoint that uses fast-uri.normalize() or fast-uri.equal() for routing, allowlisting, or origin comparison. The library returns a normalized path that differs from the literal prefix the application validated, producing a policy bypass.
No verified public exploit code is published. See the GitHub Security Advisory GHSA-q3j6-qgpj-74h6 for the maintainer's technical write-up.
Detection Methods for CVE-2026-6321
Indicators of Compromise
- HTTP request paths containing %2F, %2f, %2E%2E, %2e%2e, or mixed-case variants targeting endpoints that enforce prefix-based authorization
- Access log entries where the requested path includes encoded traversal tokens followed by sensitive route names
- Anomalous successful responses for resources that should fall outside an authenticated user's allowed path scope
Detection Strategies
- Inventory dependencies with npm ls fast-uri across Node.js services and flag any version <= 3.1.0
- Add Web Application Firewall (WAF) rules that decode request paths and compare them against the raw path, alerting when canonicalization changes the prefix
- Review code for direct calls to fastUri.normalize() and fastUri.equal() used in authorization, routing, or cache-key logic
Monitoring Recommendations
- Log both the raw and normalized request paths at the application edge to detect divergence
- Alert on 2xx responses to paths containing percent-encoded separators or dot segments
- Track outbound requests from server-side fetchers that resolve URLs through fast-uri to catch Server-Side Request Forgery (SSRF) chained from this flaw
How to Mitigate CVE-2026-6321
Immediate Actions Required
- Upgrade fast-uri to version 3.1.1 or later in all package.json and lockfile entries
- Rebuild and redeploy any Node.js service or Fastify plugin that bundles a vulnerable copy of the library
- Audit transitive dependencies, since fast-uri is pulled in by fastify, ajv-formats, and other common packages
Patch Information
The Fastify maintainers released fast-uri3.1.1 to correct the canonicalization order. The fix performs dot-segment removal on the decoded path components in the sequence required by RFC 3986. Refer to the GitHub Security Advisory GHSA-q3j6-qgpj-74h6 and the OpenJS Foundation Security Advisories for advisory text and patch metadata.
Workarounds
- Reject HTTP requests whose raw path contains %2F, %2f, or encoded dot segments before they reach application logic
- Decode and re-validate the canonical path against the allowlist after fast-uri returns its normalized value, instead of trusting the prefix check alone
- Replace fast-uri.equal() in security decisions with a comparator that operates on fully decoded, canonicalized paths
# Upgrade fast-uri across the project
npm install fast-uri@^3.1.1
npm audit --production
# Verify no vulnerable versions remain in the dependency tree
npm ls fast-uri
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
