[From nobody Fri May 8 21:49:08 2026 Received: (at submit) by bugs.debian.org; 8 May 2026 13:10:28 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00, FOURLA, MD5_SHA1_SUM, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 150; neutral, 79; spammy, 0. spammytokens: hammytokens:0.000-+--UD:security-tracker.debian.org, 0.000-+--securitytrackerdebianorg, 0.000-+--security-tracker.debian.org, 0.000-+--H*r:jmm, 0.000-+--sk:teamse Return-path: <jmm@inutil.org> Received: from inutil.org ([51.38.114.215]:57974 helo=vps-b7ad3695.vps.ovh.net) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <jmm@inutil.org>) id 1wLKyJ-000jgh-0t for submit@bugs.debian.org; Fri, 08 May 2026 13:10:28 +0000 Received: from soju.westfalen.local (p548dc5fc.dip0.t-ipconnect.de [84.141.197.252]) by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 455201F9 for <submit@bugs.debian.org>; Fri, 8 May 2026 13:10:26 +0000 (UTC) Received: from jmm by soju.westfalen.local with local (Exim 4.99.2) (envelope-from <jmm@soju.westfalen.local>) id 1wLKyJ-00000006z9e-42YE for submit@bugs.debian.org; Fri, 08 May 2026 15:10:27 +0200 Date: Fri, 8 May 2026 15:10:27 +0200 To: submit@bugs.debian.org Subject: node-ajv: CVE-2026-6321 CVE-2026-6322 Message-ID: <af3gw35d4sFr3Wwp@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: node-ajv X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for node-ajv. CVE-2026-6321[0]: | fast-uri decoded percent-encoded path separators and dot segments | before applying dot-segment removal in its normalize() and equal() | functions. Encoded path data was treated like real slashes and | parent-directory references, so distinct URIs could collapse onto | the same normalized path. Applications that normalize or compare | attacker-controlled URLs to enforce path-based policy can be | bypassed, with a path that appears confined under an allowed prefix | normalizing to a different location. Versions <= 3.1.0 are affected. | Update to 3.1.1 or later. https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 Fixed by: https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35 (v3.1.1) CVE-2026-6322[1]: | fast-uri normalize() decoded percent-encoded authority delimiters | inside the host component and then re-emitted them as raw delimiters | during serialization. A host that combined an allowed domain, an | encoded at-sign, and a different domain was re-emitted with the at- | sign as a raw userinfo separator, changing the URI's authority to | the second domain. Applications that normalize untrusted URLs before | host allowlist checks, redirect validation, or outbound request | routing can be steered to a different authority than the input | appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 | or later. https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-6321 https://www.cve.org/CVERecord?id=CVE-2026-6321 [1] https://security-tracker.debian.org/tracker/CVE-2026-6322 https://www.cve.org/CVERecord?id=CVE-2026-6322 Please adjust the affected versions in the BTS as needed. ]