OCPBUGS-94055: Fix CVE-2026-13676 fast-uri Unicode hostname canonicalization bypass#16705
OCPBUGS-94055: Fix CVE-2026-13676 fast-uri Unicode hostname canonicalization bypass#16705jrangelramos wants to merge 1 commit into
Conversation
…ization bypass Bump fast-uri from 3.1.2 to 3.1.3 via yarn resolutions to fix a security policy bypass where Unicode (IDN) hostnames are not properly canonicalized, allowing host-based policy enforcement to be bypassed. Version 3.1.3 adds proper IDN conversion for HTTP-family URLs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-94055, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jrangelramos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
WalkthroughThis change updates the ChangesDependency Version Bump
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-94055, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jrangelramos: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Analysis / Root cause
fast-uriversions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs (CVE-2026-13676). The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form whilenormalize()andequal()still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node'sURLorfetchcan be bypassed when the two implementations resolve the same input to different hosts.The package is a transitive dependency pulled in by:
ajv@8.17.1→fast-uri@3.1.2There was already a yarn resolution pinning
fast-uriat3.1.2— the vulnerable version.Solution description
Bump
fast-urifrom 3.1.2 to 3.1.3 in the yarn resolutions offrontend/package.json. Version 3.1.3 adds proper IDN conversion for HTTP-family URLs, ensuring Unicode hostnames are correctly canonicalized.This follows the existing pattern used for other CVE resolution overrides (
shell-quote,protobufjs,decode-uri-component, etc.).Test cases
yarn installcompletes without errorswebpack --mode=development) succeedsswagger.spec.tsfailures unrelated to this change)Additional info
Summary by CodeRabbit
fast-urito a newer patch version.