# Unicode Normalization Security Issues

- ID: javascript-unicode-normalization
- Severity: MEDIUM
- CWE: CWE-176 (CWE-176)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, koa, nextjs

## Description

Detects missing Unicode normalization in security-sensitive string comparisons.
Unicode allows multiple representations of visually identical characters, which
attackers can exploit to bypass input validation, authentication, or access control.

Common attack vectors:
- Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а')
- Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased
- Combining characters: "é" can be a single char or 'e' + combining accent
- Full-width characters: "ａｄｍｉｎ" vs "admin"

Always normalize Unicode strings using String.prototype.normalize() before
security-sensitive comparisons.

## Detection Message

User input from {source} is compared at {sink} without Unicode normalization.
This could allow bypassing validation using different Unicode representations.

## Remediation

Normalize Unicode strings with NFKC before security-sensitive comparisons:

```javascript
app.post('/login', (req, res) => {
  const username = req.body.username.normalize('NFKC').toLowerCase();
  if (username === 'admin') {
    return res.send('Admin access');
  }
  res.send('User access');
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-176/unicode-normalization

## Documentation

[object Object]

## Related Rules

- **Unicode Normalization Security Issues** [MEDIUM]: 
- **Unicode Normalization Issues** [MEDIUM]: