fast-uri vulnerable to host confusion via failed IDN canonicalization
Summary
| CVE | CVE-2026-13676 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-29 14:16:47 UTC |
| Updated | 2026-06-30 03:17:14 UTC |
| Description | fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS: 0.002780000 probability, percentile 0.195360000 (date 2026-06-30)
Problem Types: CWE-436 | CWE-551 | CWE-436 CWE-436: Interpretation Conflict | CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Fast-uri | Fast-uri | affected 4.0.0 4.0.1 semver | Not specified |
| CNA | Fast-uri | Fast-uri | unaffected 4.0.1 semver | Not specified |
| CNA | Fast-uri | Fast-uri | affected 2.3.1 3.1.3 semver | Not specified |
| CNA | Fast-uri | Fast-uri | unaffected 3.1.3 semver | Not specified |
| ADP | Red Hat | Confidential Compute Attestation | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Applications 8 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Containers | Not specified | Not specified |
| ADP | Red Hat | Multicluster Engine For Kubernetes | Not specified | Not specified |
| ADP | Red Hat | Network Observability Operator | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel - HawtIO 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Podman Desktop | Not specified | Not specified |
| ADP | Red Hat | Red Hat Connectivity Link 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub | Not specified | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Openshift Data Foundation 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Virtualization 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Self-service Automation Portal 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | |
| access.redhat.com/security/cve/CVE-2026-13676 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: celinke97 (en)
CNA: UlisesGascon (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-29T14:01:55.592Z | Reported to Red Hat. |
| ADP | 2026-06-29T13:22:44.674Z | Made public. |
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
There are currently no legacy QID mappings associated with this CVE.