fast-uri is a Dependency-free RFC 3986 URI toolbox
Affected versions of this package are vulnerable to Interpretation Conflict in its parse(), normalize(), and equal() functions, which call the nonexistent URL.domainToASCII() static method and silently swallow the resulting TypeError into parsed.error, leaving an internationalized hostname in its unconverted Unicode form. An attacker can steer host-based security policies to an unintended destination by supplying a URL with a Unicode or fullwidth hostname such as http://127。0。0。1/, which is parsed with the host left as 127。0。0。1 while Node's WHATWG URL parser and fetch() canonicalize it to 127.0.0.1. Exploitation requires the application to use this library for host-based decisions such as denylists, loopback filtering, or redirect and proxy validation before passing the URL to a downstream consumer that canonicalizes the host differently.
Remediation
Upgrade fast-uri to version 3.1.3, 4.0.1 or higher.