Unicode Hostname Canonicalization Flaw in fast-uri by Fastify
CVE-2026-13676

7.5HIGH

Key Information:

Vendor: Fast-uri
Status: Fast-uri
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13676?

The vulnerability in fast-uri affects versions 2.3.1 through 3.1.2 and 4.0.0, stemming from its failure to correctly canonicalize Unicode (IDN) hostnames for HTTP URLs. This issue arises because the IDN conversion process employs a non-existent helper in the global URL constructor, resulting in the host remaining in its original Unicode format. Consequently, applications relying on fast-uri for host-based policies—such as deny lists, loopback filtering, redirect validation, and outbound proxy routing—may unintentionally allow bypasses. This occurs when the fast-uri implementation and the WHATWG-compatible URL parser resolve the same input differently. It is strongly advised to upgrade to fast-uri version 3.1.3 for version 3.x or 4.0.1 for version 4.x to safeguard against this vulnerability.

Affected Version(s)

fast-uri 4.0.0 < 4.0.1

fast-uri 2.3.1 < 3.1.3

fast-uri 4.0.1

References

https://github.com/fastify/fast-uri/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

Credit

celinke97

UlisesGascon

CVE-2026-13676 Data

JSON

Fast-uri

What is CVE-2026-13676?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit