CVE-2026-13676

NameCVE-2026-13676
Descriptionfast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ajv (PTS)bullseye6.12.6-2vulnerable
bookworm6.12.6-3vulnerable
trixie8.12.0~ds+~2.1.1-5vulnerable
forky, sid8.20.0~ds+~cs6.1.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ajvsource(unstable)(unfixed)

Notes

[trixie] - node-ajv <no-dsa> (Minor issue)
https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6
Embedded fast-uri used and provided as node-fast-uri, starting with forky
Search for package or bug name: Reporting problems