CVE-2026-6322
Modified
Modified - Updated After Analysis
fast-uri normalize() Authority Manipulation in Host Component
Vulnerability report for CVE-2026-6322, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-05
Last updated on: 2026-07-03
Assigner: openjs
Description
Description
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | fast-uri | to 3.1.2 (exc) |
| fastify | fast-uri | 3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-140 | The product does not neutralize or incorrectly neutralizes delimiters. |
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |