Source: node-ajv X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for node-ajv. CVE-2026-6321[0]: | fast-uri decoded percent-encoded path separators and dot segments | before applying dot-segment removal in its normalize() and equal() | functions. Encoded path data was treated like real slashes and | parent-directory references, so distinct URIs could collapse onto | the same normalized path. Applications that normalize or compare | attacker-controlled URLs to enforce path-based policy can be | bypassed, with a path that appears confined under an allowed prefix | normalizing to a different location. Versions <= 3.1.0 are affected. | Update to 3.1.1 or later. https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 Fixed by: https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35 (v3.1.1) CVE-2026-6322[1]: | fast-uri normalize() decoded percent-encoded authority delimiters | inside the host component and then re-emitted them as raw delimiters | during serialization. A host that combined an allowed domain, an | encoded at-sign, and a different domain was re-emitted with the at- | sign as a raw userinfo separator, changing the URI's authority to | the second domain. Applications that normalize untrusted URLs before | host allowlist checks, redirect validation, or outbound request | routing can be steered to a different authority than the input | appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 | or later. https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-6321 https://www.cve.org/CVERecord?id=CVE-2026-6321 [1] https://security-tracker.debian.org/tracker/CVE-2026-6322 https://www.cve.org/CVERecord?id=CVE-2026-6322 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
