[Security] [GHSA-q3j6-qgpj-74h6 / GHSA-v39h-62p7-jpjc] Path traversal and host confusion in fast-uri

[github-actions]

Security Vulnerability Report

Summary

• Package: fast-uri
• Affected Version: <=3.1.1 (transitive dependency)
• Severity: HIGH
• Advisories:
  • GHSA-q3j6-qgpj-74h6 — Path traversal via percent-encoded dot segments (CVSS 7.5)
  • GHSA-v39h-62p7-jpjc — Host confusion via percent-encoded authority delimiters (CVSS 7.5)
• CWE: CWE-22 (Path Traversal), CWE-436 (Interpretation Conflict)

Vulnerability Details

GHSA-q3j6-qgpj-74h6: fast-uri fails to properly normalize percent-encoded dot segments (e.g. %2E%2E) in URI paths, allowing path traversal attacks. A maliciously crafted URI could bypass path-based access controls.

GHSA-v39h-62p7-jpjc: fast-uri mishandles percent-encoded authority delimiter characters (@, :, /), causing the parsed host to differ from the intended host. This can lead to SSRF or authentication bypass in systems using URI parsing for routing or access control decisions.

Impact on gh-aw-firewall

fast-uri is a transitive dependency of the JSON schema validation tooling (ajv). Given that gh-aw-firewall is a security-critical firewall that performs domain allowlist enforcement, any URI parsing inconsistency is especially concerning — a malformed URI could potentially bypass domain ACL checks if URI parsing is used in the validation path.

Remediation

This vulnerability has been fixed in PR #aw_pr1 which runs npm audit fix, updating fast-uri to >=3.1.2.

Command: npm audit fix

Testing Required

• Run full test suite after update
• Verify domain ACL enforcement still works correctly
• Test with percent-encoded URIs

References

• GHSA-q3j6-qgpj-74h6
• GHSA-v39h-62p7-jpjc

Detection Details

• Detected by: Dependency Security Monitor Workflow
• Detection Time: 2026-05-09T06:31:58Z
• Source: npm audit

Generated by Dependency Security Monitor · ● 568.1K · ◷

• expires on Jun 8, 2026, 6:35 AM UTC