Skip to content

Security: fast-uri path traversal and host confusion — update to >=3.1.2 #644

Description

@LucasMaupin

Summary

fast-uri ≤3.1.1 contains two high-severity CVEs affecting the frontend's transitive dependency tree:

  • CVE (CWE-22, CVSS 7.5): Path traversal via percent-encoded dot segments (e.g. %2e%2e/) allows unauthorized file access.
  • CVE (CWE-436, CVSS 7.5): Host confusion via percent-encoded authority delimiters enables host header spoofing.

Impact

fast-uri is a transitive dependency pulled in by Vite's plugin chain. Both vulnerabilities could be triggered by maliciously crafted URIs processed in the build pipeline or at runtime.

Steps to verify

npm ls fast-uri
npm audit 2>&1 | grep fast-uri

Recommendation

Update fast-uri to >=3.1.2 by running:

npm audit fix

If npm audit fix cannot resolve it automatically, identify the direct dependency pinning the old version and update it.

References

  • CWE-22: Path Traversal
  • CWE-436: Interpretation Conflict
  • Audit finding: SEC-004, SEC-005

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions