Uriparser Project Uriparser — known CVE vulnerabilities
Every CVE whose affected-product data names Uriparser Project Uriparser, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (11)
CVE-2018-20721 — CVSS 9.8 (critical): URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6…
CVE-2018-19199 — CVSS 9.8 (critical): An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx*…
CVE-2018-19198 — CVSS 9.8 (critical): An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx*…
CVE-2024-34402 — CVSS 8.6 (high): An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with…
CVE-2018-19200 — CVSS 7.5 (high): An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function.
CVE-2024-34403 — CVSS 5.9 (medium): An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.
CVE-2021-46142 — CVSS 5.5 (medium): An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.
CVE-2021-46141 — CVSS 5.5 (medium): An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.
CVE-2026-42371 — CVSS 5.1 (medium): uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
CVE-2026-44927 — CVSS 2.9 (low): In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
CVE-2026-44928 — CVSS 2.9 (low): In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.