Emergency security override for CVE-2026-6321 and CVE-2026-6322 — closes #1687, unblocks #1678 and #1686.
| Advisory | CVE | Severity | Vector |
|---|---|---|---|
| GHSA-q3j6-qgpj-74h6 | CVE-2026-6321 | High | Path traversal via percent-encoded dot segments |
| GHSA-v39h-62p7-jpjc | CVE-2026-6322 | High | Host confusion via percent-encoded authority delimiters |
orchestkit@7.85.0
└─┬ agentation-mcp@1.2.0
└─┬ @modelcontextprotocol/sdk@1.29.0
└─┬ ajv@8.18.0
└── fast-uri@3.1.2 (was 3.1.0 — vulnerable)
"overrides": {
"hono": "^4.12.18",
"ip-address": "^10.2.0",
- "express-rate-limit": "^8.5.1"
+ "express-rate-limit": "^8.5.1",
+ "fast-uri": "^3.1.2"
}
| Check | Before | After |
|---|---|---|
npm ls fast-uri | 3.1.0 | 3.1.2 |
npm audit findings ≥ moderate | 2 high | 0 |
tests/security/test-npm-audit.sh | FAIL | PASS |
npm run test:security (14 suites) | 13/14 | 14/14 |
Mirrors PR #1624 (hono / ip-address / express-rate-limit overrides). Same one-line addition to overrides in package.json; npm install regenerates the lockfile; no source-code changes required.
Tracking: M134 — Upgrade to CC 2.1.138 / W7