{"schema_version":"1.7.2","id":"OESA-2026-2188","modified":"2026-05-03T09:57:47Z","published":"2026-05-03T09:57:47Z","upstream":["CVE-2025-67899","CVE-2026-42371"],"summary":"uriparser security update","details":"The package is a strictly RFC 3986 compliant URI parsing library written in C89("ANSI C"). uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party wrappers. uriparser is packaged in major distributions.\r\n\r\nSecurity Fix(es):\n\nuriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.(CVE-2025-67899)\n\nuriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.(CVE-2026-42371)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"uriparser","purl":"pkg:rpm/openEuler/uriparser&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1-1.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["uriparser-1.0.1-1.oe2403sp3.aarch64.rpm","uriparser-debuginfo-1.0.1-1.oe2403sp3.aarch64.rpm","uriparser-debugsource-1.0.1-1.oe2403sp3.aarch64.rpm","uriparser-devel-1.0.1-1.oe2403sp3.aarch64.rpm"],"noarch":["uriparser-help-1.0.1-1.oe2403sp3.noarch.rpm"],"src":["uriparser-1.0.1-1.oe2403sp3.src.rpm"],"x86_64":["uriparser-1.0.1-1.oe2403sp3.x86_64.rpm","uriparser-debuginfo-1.0.1-1.oe2403sp3.x86_64.rpm","uriparser-debugsource-1.0.1-1.oe2403sp3.x86_64.rpm","uriparser-devel-1.0.1-1.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2188"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67899"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42371"}],"database_specific":{"severity":"Medium"}}