Skip to content

[Aikido] Fix security issue in fast-uri via minor version upgrade from 3.1.0 to 3.1.3 in apps#5

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-59595285-h7oi
Open

[Aikido] Fix security issue in fast-uri via minor version upgrade from 3.1.0 to 3.1.3 in apps#5
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-59595285-h7oi

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 2, 2026

Copy link
Copy Markdown

Upgrade fast-uri to fix path traversal, authority spoofing, and host canonicalization vulnerabilities in normalize() and equal() functions.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-6321
HIGH
[fast-uri] A vulnerability in URI normalization allows attackers to bypass path-based access controls by using percent-encoded separators and dot segments that normalize to unintended paths. This enables policy bypass attacks where restricted paths can be accessed through specially crafted encoded URLs.
CVE-2026-6322
HIGH
[fast-uri] Normalize function improperly decodes percent-encoded authority delimiters in the host component, re-emitting them as raw delimiters during serialization. This allows attackers to bypass host allowlist checks and redirect requests to unintended authorities.
AIKIDO-2026-10784
HIGH
[fast-uri] A path normalization vulnerability allows attackers to bypass security checks by using percent-encoded slashes and dots that are decoded before dot-segment removal, causing distinct URIs to normalize identically and compare equal.
AIKIDO-2026-507986
HIGH
[fast-uri] A security bypass vulnerability exists in host canonicalization for Unicode/IDN values due to inconsistent ASCII/Unicode host handling, which could allow attackers to bypass security checks through improper host normalization.

Note

Low Risk
Dependency-only security patch with no application code changes; residual risk is limited to whether nested ajv still resolves vulnerable 3.1.0 unless hoisted/overridden.

Overview
Pins fast-uri@3.1.3 as a direct dependency of @sharehtml/cli and updates the lockfile so the resolved top-level package moves from 3.1.0 to 3.1.3, addressing high-severity issues in normalize() / equal() (path traversal, encoded authority bypass, and host canonicalization).

The lockfile also records a separate ajv/fast-uri@3.1.0 entry for AJV’s transitive dependency; the workspace now explicitly depends on the patched version for the CLI install graph.

Reviewed by Cursor Bugbot for commit 27268f3. Bugbot is set up for automated code reviews on this repo. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 27268f3. Configure here.

Comment thread apps/cli/bun.lock

"when-exit": ["when-exit@2.1.5", "", {}, "sha512-VGkKJ564kzt6Ms1dbgPP/yuIoQCrsFAnRbptpC5wOEsDaNsbCB2bnfnaA8i/vRs5tjUSEOtIuvl9/MyVsvQZCg=="],

"ajv/fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nested ajv fast-uri stays vulnerable

Medium Severity

The bun.lock file includes fast-uri@3.1.3, but apps/cli/package.json is missing this dependency. As package.json is the source of truth, bun install could revert the lockfile entry or cause frozen lockfile checks to fail.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 27268f3. Configure here.

Comment thread apps/cli/bun.lock

"when-exit": ["when-exit@2.1.5", "", {}, "sha512-VGkKJ564kzt6Ms1dbgPP/yuIoQCrsFAnRbptpC5wOEsDaNsbCB2bnfnaA8i/vRs5tjUSEOtIuvl9/MyVsvQZCg=="],

"ajv/fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ajv still uses vulnerable fast-uri

High Severity

This change pins fast-uri@3.1.3 at the workspace root while the lockfile still resolves ajv’s dependency as nested fast-uri@3.1.0. The CLI never imports fast-uri directly; conf pulls it in through ajv, so URI normalization for schema handling can still run the pre-patch library the CVEs target.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 27268f3. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants