CVE-2026-6321 - fast-uri encoded path traversal

fast-uri versions through 3.1.0 can decode percent-encoded separators and dot segments before path normalization or URL equality checks. Applications that use fast-uri.normalize() or fast-uri.equal() to decide whether an attacker-controlled URL is inside an allowed path can make the wrong security decision.

The safe fix is to upgrade and audit the surrounding policy code. URL normalization helpers are not authorization boundaries unless the caller has defined a canonical input model, trusted proxy behavior, decoding order, and raw path handling.

When to use it

Use this recipe when a JavaScript/Node repository depends on fast-uri directly or through frameworks and uses URL normalization or equality near security decisions. It is especially important for SSRF guards, redirect allow-lists, callback/webhook routing, tenant path isolation, admin path guards, reverse proxy routing, CDN/cache keys, signed URLs, and static-file policy.

Use it to upgrade fast-uri and audit the surrounding URL policy model. Do not use it to probe production gateways or tenant routes with encoded traversal strings.

Inputs

  • Package manifests, lockfiles, workspaces, Dockerfiles, generated dependency reports, SBOMs, gateway plugins, validation libraries, SSRF guards, callback validators, reverse-proxy config, and deployment images that may resolve fast-uri.
  • Call sites for fast-uri.normalize, fast-uri.equal, wrappers, URL/path allow-lists, deny-lists, redirect validation, webhook/callback validation, tenant/admin path checks, CDN/cache keys, and proxy rewrite code.
  • URL input source classification: trusted config, repository-owned URL, tenant supplied, unauthenticated request, webhook provider, OAuth provider, agent/tool supplied, model/provider supplied, or third-party integration.
  • Proxy/CDN/framework/app decoding order, raw path availability, route identity behavior, and edge rejection policy for ambiguous encodings.
  • Local unit-test fixtures for encoded dot segments, encoded separators, mixed case encodings, and double-decoding confusion.

Affected versions

  • Vulnerable package: fast-uri <=3.1.0
  • Fixed package: fast-uri 3.1.1+
  • Affected operations: URL normalization and equality checks involving percent-encoded path separators or dot segments
  • Affected surfaces: allow/deny path checks, reverse proxy routing, callback allow-lists, SSRF defenses, CDN/cache key policy, tenant path isolation, admin path guards, webhook routing, and signed URL validation
  • Workaround: no safe package-level workaround; upgrade to the patched version and review policy code that relied on affected behavior

Indicator-of-exposure

  • The repository depends on fast-uri <=3.1.0 directly or through Fastify, Ajv, URL utility packages, SSRF guard code, proxy middleware, gateway plugins, or validation libraries.
  • Code imports fast-uri and calls normalize, equal, URI parsing helpers, or wrappers around those helpers before making security decisions.
  • User-controlled URLs are compared against allow-lists, deny-lists, tenant prefixes, callback paths, webhook paths, static-file roots, cache keys, or admin path prefixes.
  • Tests cover plain .. traversal but not encoded dot segments or encoded separators.
  • Proxy, CDN, framework, and app code decode URL paths in different orders.

Quick checks:

rg -n "fast-uri|normalize\\(|\\.equal\\(|uri\\.equal|allowed.*url|allow.*path|deny.*path|callback.*url|webhook.*url|SSRF|tenant.*path|admin.*path|proxy.*path" .
npm ls fast-uri
pnpm why fast-uri
yarn why fast-uri
rg -n "fast-uri|%2e|%2f|decodeURIComponent|new URL\\(|URLPattern|path.*allow|path.*deny" package.json package-lock.json pnpm-lock.yaml yarn.lock src app packages tests . 2>/dev/null

Windows:

rg -n "fast-uri|normalize\\(|\\.equal\\(|uri\\.equal|allowed.*url|allow.*path|deny.*path|callback.*url|webhook.*url|SSRF|tenant.*path|admin.*path|proxy.*path" .
npm ls fast-uri
pnpm why fast-uri
yarn why fast-uri
rg -n "fast-uri|%2e|%2f|decodeURIComponent|new URL\\(|URLPattern|path.*allow|path.*deny" package.json package-lock.json pnpm-lock.yaml yarn.lock src app packages tests .

Do not probe production gateways, callbacks, tenant routes, admin routes, or internal services with encoded traversal strings during triage.

Remediation strategy

  • Upgrade every controlled fast-uri dependency, lockfile, image, generated dependency report, and SBOM to 3.1.1+.
  • Identify every caller that uses URL normalization or equality to enforce path-based policy. Convert those checks to explicit canonicalization using a documented decode order and raw-path threat model.
  • For SSRF and redirect allow-lists, validate scheme, host, port, and canonical path separately. Do not rely on string equality after helper normalization.
  • Add regression tests for percent-encoded dot segments and separators using local unit tests only.
  • Verify proxy/CDN/framework decoding behavior matches application policy. Where it does not, reject ambiguous encoded paths at the edge before app routing.
  • If upgrade is blocked, remove affected helper calls from authorization and routing decisions or fail closed on encoded path separators and dot segments.

The prompt

You are remediating CVE-2026-6321 / GHSA-q3j6-qgpj-74h6, a `fast-uri` path
normalization issue where percent-encoded dot segments and separators can
bypass URL path policy checks. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades `fast-uri`, audits
  path-based URL policy callers, adds safe regression coverage, refreshes
  generated artifacts, and documents edge/proxy behavior, or
- TRIAGE.md if this repository does not own an affected `fast-uri` dependency
  or any security-sensitive URL normalization surface.

## Rules

- Scope only CVE-2026-6321 / GHSA-q3j6-qgpj-74h6 and directly related URL
  normalization, equality, routing, SSRF, redirect, and path policy controls.
- Treat tokens, cookies, callback secrets, webhook payloads, tenant paths,
  admin routes, signed URLs, internal service URLs, logs, and proxy traces as
  sensitive.
- Do not probe production gateways, callbacks, tenant routes, admin routes, or
  internal services with encoded traversal strings.
- Do not remove authorization, SSRF defenses, redirect validation, tenant
  isolation, audit logging, or tests to silence the advisory.
- Do not auto-merge.

## Steps

1. Inventory every `fast-uri` reference controlled by the repository: package
   manifests, lockfiles, workspaces, Dockerfiles, generated dependency reports,
   SBOMs, gateway plugins, validation libraries, SSRF guards, callback
   validators, reverse proxy config, and deployment images.
2. Determine every resolved `fast-uri` version. A target is vulnerable if it
   resolves to `<=3.1.0`.
3. Search for security-sensitive URL policy callers: `fast-uri`, `normalize`,
   `equal`, URL/path allow-lists, deny-lists, SSRF guards, redirect targets,
   callback URLs, webhook routing, tenant path prefixes, admin path guards,
   static file routing, CDN/cache keys, and proxy rewrite code.
4. Classify each URL input source as trusted config, repository-owned URL,
   tenant supplied, unauthenticated request, webhook provider, OAuth provider,
   agent/tool supplied, model/provider supplied, or third-party integration.
5. If `fast-uri` is absent, fixed, or used only for non-security display or
   parsing, stop with `TRIAGE.md` listing checked files, resolved versions, and
   exposure rationale.
6. Upgrade all controlled `fast-uri` references to `3.1.1+`. Refresh locks,
   workspace constraints, images, generated dependency reports, SBOMs, and docs.
7. Fix unsafe policy callers:
   - do not authorize solely by comparing normalized URL strings;
   - validate scheme, host, port, and canonical path as separate fields;
   - define and test decode order explicitly;
   - reject ambiguous encoded separators and dot segments where app/proxy
     behavior differs;
   - use framework route identity or raw request path for route authorization
     instead of post-normalization strings.
8. Add safe regression checks:
   - dependency policy rejects `fast-uri <=3.1.0`;
   - encoded dot-segment and encoded-separator fixtures cannot bypass path
     allow/deny rules;
   - SSRF and redirect allow-lists validate components separately;
   - tests run locally and do not contact live internal or external services;
   - logs and test output do not include tokens, cookies, signed URLs, or
     tenant data.
9. Add a PR body section named `CVE-2026-6321 operator actions` that states:
   - `fast-uri` versions before and after;
   - which packages pulled it in;
   - which URL policy callers were reviewed;
   - how edge proxy, CDN, and framework URL decoding are aligned;
   - whether any tenant, callback, webhook, SSRF, redirect, or admin path rule
     changed;
   - which validation commands passed.
10. If immediate upgrade is blocked, add temporary containment where this repo
    controls it: reject encoded path separators and encoded dot segments before
    policy checks, remove affected helper calls from authorization decisions,
    and document owner, deadline, and residual risk.
11. Run available validation: package install, lockfile integrity, unit tests,
    URL policy tests, route tests, lint/typecheck, image build, SBOM refresh,
    dependency/security scans, and gateway/proxy render checks.
12. Use PR title:
    `fix(sec): remediate CVE-2026-6321 in fast-uri URL policy`.

## Stop conditions

- No affected `fast-uri` dependency, lockfile, image, URL policy caller, or
  generated artifact is controlled by this repository.
- The affected dependency is owned by another platform or gateway team; name
  the owner and required fixed version in `TRIAGE.md`.
- A fixed `fast-uri` version requires a broader framework migration the agent
  cannot safely complete.
- Verification would require probing production, internal services, tenant
  routes, callbacks, or admin endpoints.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or generated report resolves fast-uri <=3.1.0.
  • Security-sensitive URL policy code no longer trusts affected normalization behavior as an authorization boundary.
  • Tests cover encoded dot segments and encoded separators without contacting production or internal services.
  • Proxy/CDN/framework/app decoding behavior is documented where path policy depends on it.
  • Operator notes identify any changed SSRF, redirect, callback, webhook, tenant, or admin path controls.

Watch for

  • Fixing direct dependencies while a workspace package or transitive Fastify/Ajv path still resolves the vulnerable version.
  • Relying on decodeURIComponent or new URL() without documenting how the proxy and framework decode the same path.
  • Adding tests for plain ../ only and missing encoded path separators.
  • Treating URL string equality as sufficient for SSRF, redirect, or callback allow-lists.
  • Running live probes against production gateways instead of local unit tests.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades fast-uri to 3.1.1+, audits security-sensitive URL policy callers, replaces normalized-string authorization with explicit component validation, adds encoded traversal regression tests, refreshes generated artifacts, and documents edge/proxy behavior.
  • TRIAGE.md when no controlled affected fast-uri dependency, lockfile, image, generated artifact, or security-sensitive normalization surface exists.

The output must list versions before/after, packages that pull fast-uri, policy callers reviewed, input sources, decoding-order assumptions, SSRF/redirect/callback/tenant/admin rule changes, validation commands, and any temporary containment. It must not probe production services, expose tokens or signed URLs, remove authorization/SSRF controls, or rely on URL string equality as the final boundary.

References