High-Severity Vulnerabilities Discovered in fast-uri Library — Path Traversal and Host Confusion Risks Exposed
A weekly security audit has surfaced critical vulnerabilities in fast-uri, a widely-used URI parsing library, potentially exposing applications that depend on aws-cdk-lib to path traversal and host confusion attacks. The flaws affect all versions of fast-uri up to and including 3.1.1, and have been assigned high severity ratings in official GitHub security advisories. The audit, conducted on May 11, 2026, identified that the library improperly handles percent-encoded dot segments, allowing attackers to craft malicious URIs that bypass path validation checks. A second, related vulnerability enables host confusion through percent-encoded authority delimiters, which could allow adversaries to manipulate how systems interpret hostname boundaries in URI strings.
The vulnerabilities were detected within the node_modules dependency tree of the sports-card-portfolio project, specifically through the aws-cdk-lib package, which bundles a vulnerable version of fast-uri. Path traversal vulnerabilities in URI parsing libraries are particularly dangerous because they can enable attackers to access files or resources outside the intended scope, potentially leaking configuration files, credentials, or other sensitive data. The host confusion variant adds another dimension of risk, as improperly parsed authority sections can cause applications to misroute requests or bypass security controls that rely on hostname validation.
The findings underscore the persistent challenge of managing transitive dependencies in modern JavaScript and Node.js ecosystems. Developers are advised to run `npm audit fix` to apply available patches immediately. Given that aws-cdk-lib is a core component in AWS Cloud Development Kit deployments, the exposure may extend to infrastructure-as-code pipelines and automated cloud provisioning workflows. Security teams should assess whether their build processes, CI/CD pipelines, or deployed applications直接或间接 consume the affected library before applying the patch in production environments.