Path Normalization Vulnerability in Fast URI by Fastify
CVE-2026-6321

7.5HIGH

Key Information:

Vendor: Fast-uri
Status: Fast-uri
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-6321?

The vulnerability in Fast URI allows for the improper processing of percent-encoded path separators and dot segments. This can lead to the misrepresentation of distinct URIs, causing them to map to the same normalized path. As a result, certain applications that rely on URL normalization or comparison for enforcing security policies may inadvertently allow unauthorized access. It is crucial for users to update to version 3.1.1 or later to mitigate this risk.

Affected Version(s)

fast-uri 0 < 3.1.1

fast-uri 3.1.1

References

https://github.com/fastify/fast-uri/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Jvr

Matteo Collina

Ulises Gascón

KaKa

CVE-2026-6321 Data

JSON

Fast-uri

What is CVE-2026-6321?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit