{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fast-uri--3.1.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6321"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fast-uri (\u003c= 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","defense-evasion","javascript"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003efast-uri, a JavaScript library used for URI parsing and normalization, is susceptible to a path traversal vulnerability (CVE-2026-6321) in versions 3.1.0 and earlier. The vulnerability arises from the library\u0026rsquo;s decoding of percent-encoded path separators (\u003ccode\u003e%2F\u003c/code\u003e) and dot segments (\u003ccode\u003e%2E\u003c/code\u003e) before applying dot-segment removal during URI normalization. This can cause distinct URIs to collapse onto the same normalized path, potentially allowing attackers to bypass path-based access controls. Applications that rely on fast-uri for URL normalization or comparison may be vulnerable. Defenders should upgrade to fast-uri version 3.1.1 or later to remediate this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL containing percent-encoded dot segments (e.g., \u003ccode\u003e%2E%2E\u003c/code\u003e) or path separators (e.g., \u003ccode\u003e%2F\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker supplies the crafted URL to a vulnerable application that uses \u003ccode\u003efast-uri\u003c/code\u003e for URL processing, comparison, or normalization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efast-uri\u003c/code\u003e library decodes the percent-encoded characters before performing dot-segment removal.\u003c/li\u003e\n\u003cli\u003eThe decoded path segments are processed, potentially leading to path traversal (e.g., \u003ccode\u003epublic/%2e%2e/admin\u003c/code\u003e becomes \u003ccode\u003epublic/../admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enormalize()\u003c/code\u003e or \u003ccode\u003eequal()\u003c/code\u003e functions in \u003ccode\u003efast-uri\u003c/code\u003e further process the URI, resulting in an unexpected final path (e.g., \u003ccode\u003epublic/../admin\u003c/code\u003e becomes \u003ccode\u003e/admin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application uses the normalized URL to make access control decisions, believing the user is accessing a different resource than intended.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to restricted resources or functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass path-based access controls in applications utilizing the vulnerable versions of \u003ccode\u003efast-uri\u003c/code\u003e. This can result in unauthorized access to sensitive data, modification of configurations, or execution of arbitrary code, depending on the application\u0026rsquo;s functionality and the resources exposed. The severity of the impact is highly dependent on the specific application and its security architecture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003efast-uri\u003c/code\u003e version 3.1.1 or later to patch CVE-2026-6321, as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect fast-uri Path Traversal Attempts via URL Normalization\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-fast-uri-path-traversal/","summary":"fast-uri versions 3.1.0 and earlier are vulnerable to path traversal due to decoding percent-encoded path separators and dot segments before dot-segment removal, potentially leading to bypasses of path-based policy enforcement.","title":"fast-uri Path Traversal Vulnerability via Percent-Encoded Dot Segments","url":"https://feed.craftedsignal.io/briefs/2024-01-fast-uri-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Fast-Uri (\u003c= 3.1.0)","version":"https://jsonfeed.org/version/1.1"}