Summary
fast-uri ≤3.1.1 contains two high-severity CVEs affecting the frontend's transitive dependency tree:
- CVE (CWE-22, CVSS 7.5): Path traversal via percent-encoded dot segments (e.g.
%2e%2e/) allows unauthorized file access.
- CVE (CWE-436, CVSS 7.5): Host confusion via percent-encoded authority delimiters enables host header spoofing.
Impact
fast-uri is a transitive dependency pulled in by Vite's plugin chain. Both vulnerabilities could be triggered by maliciously crafted URIs processed in the build pipeline or at runtime.
Steps to verify
npm ls fast-uri
npm audit 2>&1 | grep fast-uri
Recommendation
Update fast-uri to >=3.1.2 by running:
If npm audit fix cannot resolve it automatically, identify the direct dependency pinning the old version and update it.
References
- CWE-22: Path Traversal
- CWE-436: Interpretation Conflict
- Audit finding: SEC-004, SEC-005
Summary
fast-uri≤3.1.1 contains two high-severity CVEs affecting the frontend's transitive dependency tree:%2e%2e/) allows unauthorized file access.Impact
fast-uriis a transitive dependency pulled in by Vite's plugin chain. Both vulnerabilities could be triggered by maliciously crafted URIs processed in the build pipeline or at runtime.Steps to verify
Recommendation
Update
fast-urito>=3.1.2by running:If
npm audit fixcannot resolve it automatically, identify the direct dependency pinning the old version and update it.References