Skip to content

fix: upgrade fast-uri to 3.1.1 (CVE-2026-6321)#3493

Open
orbisai0security wants to merge 1 commit into
Azure:mainfrom
orbisai0security:fix-cve-2026-6321-fast-uri
Open

fix: upgrade fast-uri to 3.1.1 (CVE-2026-6321)#3493
orbisai0security wants to merge 1 commit into
Azure:mainfrom
orbisai0security:fix-cve-2026-6321-fast-uri

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Upgrade fast-uri from 3.1.0 to 3.1.1 to fix CVE-2026-6321.

Vulnerability

Field Value
ID CVE-2026-6321
Severity HIGH
Scanner trivy
Rule CVE-2026-6321
File eng/common/tsp-client/package-lock.json
Assessment Likely exploitable

Description: fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies

Evidence

Scanner confirmation: trivy rule CVE-2026-6321 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

  • eng/common/tsp-client/package.json
  • eng/common/tsp-client/package-lock.json

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

Automated dependency upgrade by OrbisAI Security
@orbisai0security orbisai0security requested a review from a team as a code owner May 27, 2026 15:36
@github-actions github-actions Bot added Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization. labels May 27, 2026
@github-actions

Copy link
Copy Markdown

Thank you for your contribution @orbisai0security! We will review the pull request and get back to you soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant