[PR #158] [CLOSED] fix: upgrade fast-uri to 3.1.1 (CVE-2026-6321) #3044

Closed
opened 2026-06-15 05:26:19 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/reconurge/flowsint/pull/158
Author: @orbisai0security
Created: 6/3/2026
Status: Closed

Base: mainHead: fix-cve-2026-6321-fast-uri


📝 Commits (1)

  • 1568a10 fix: CVE-2026-6321 security vulnerability

📊 Changes

2 files changed (+6 additions, -0 deletions)

View changed files

📝 flowsint-app/package.json (+1 -0)
📝 yarn.lock (+5 -0)

📄 Description

Summary

Upgrade fast-uri from 3.1.0 to 3.1.1 to fix CVE-2026-6321.

Vulnerability

Field Value
ID CVE-2026-6321
Severity HIGH
Scanner trivy
Rule CVE-2026-6321
File flowsint-app/yarn.lock
Assessment Likely exploitable

Description: fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies

Evidence

Scanner confirmation: trivy rule CVE-2026-6321 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • flowsint-app/package.json
  • flowsint-app/yarn.lock

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/reconurge/flowsint/pull/158 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 6/3/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-cve-2026-6321-fast-uri` --- ### 📝 Commits (1) - [`1568a10`](https://github.com/reconurge/flowsint/commit/1568a10c104f8e05fdaf8af743c8ad242d3329b6) fix: CVE-2026-6321 security vulnerability ### 📊 Changes **2 files changed** (+6 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `flowsint-app/package.json` (+1 -0) 📝 `yarn.lock` (+5 -0) </details> ### 📄 Description ## Summary Upgrade fast-uri from 3.1.0 to 3.1.1 to fix CVE-2026-6321. ## Vulnerability | Field | Value | |-------|-------| | **ID** | CVE-2026-6321 | | **Severity** | HIGH | | **Scanner** | trivy | | **Rule** | `CVE-2026-6321` | | **File** | `flowsint-app/yarn.lock` | | **Assessment** | Likely exploitable | **Description**: fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies ## Evidence **Scanner confirmation**: trivy rule `CVE-2026-6321` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a Node.js library - vulnerabilities affect downstream consumers who use this package. ## Changes - `flowsint-app/package.json` - `flowsint-app/yarn.lock` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.* --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-15 05:26:19 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/flowsint#3044