CVE-2026-13676
Last modified
CVE-2026-13676 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. EPSS estimates a 0.27% chance of exploitation in the next 30 days.
Description
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openjsf | Fast-Uri | >= 2.3.1, < 3.1.3 |
| Openjsf | Fast-Uri | >= 4.0.0, < 4.0.1 |
References
- https://cna.openjsf.org/security-advisories.htmlVendor Advisory
- https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6Patch, Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2026-13676Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2494197Third Party Advisory
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13676.jsonThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-13676?
How severe is CVE-2026-13676?
How do I fix CVE-2026-13676?
Related CVEs from 2026
- CVE-2026-13603The payment integration pretix-oppwa provides support for t…9
- CVE-2026-1361ASDA-Soft Stack-based Buffer Overflow Vulnerability9.8
- CVE-2026-1363IAQS and I6 developed by JNC has a Client-Side Enforcement o…9.8
- CVE-2026-1364IAQS and I6 developed by JNC has a Missing Authentication vu…9.8
- CVE-2026-1365Insertion of sensitive information into sent data vulnerabil…6.5
- CVE-2026-1367Zohocorp ManageEngine ADSelfService Plus versions 6522 and b…8.3
- CVE-2026-1368The Video Conferencing with Zoom WordPress plugin before 4.6…7.5
- CVE-2026-1369The Conditional CAPTCHA WordPress plugin through 4.0.0 does …4.3
- CVE-2026-13696Improper neutralization of special elements used in an LDAP …8.8
- CVE-2026-13698A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0…7.5
- CVE-2026-1370The SIBS woocommerce payment gateway plugin for WordPress is…4.9
- CVE-2026-13704The GiveWP – Donation Plugin and Fundraising Platform plugin…6.4
Are you affected by CVE-2026-13676?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
