CVE-2026-6322
fast-uri normalize() Authority Manipulation in Host Component
Publication date: 2026-05-05
Last updated on: 2026-05-07
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | fast-uri | to 3.1.2 (exc) |
| fastify | fast-uri | 3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in fast-uri versions 3.1.1 and earlier involves improper handling of percent-encoded authority delimiters within the host component of a URI. Specifically, the library decodes encoded characters like %40 (which represents the @ symbol) and then re-emits them as raw characters during serialization. This causes the URI's authority section to be altered, turning what was originally a hostname into a userinfo part followed by a different host.
As a result, applications that normalize untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing can be tricked into interpreting the URL as pointing to a different authority than intended.
This vulnerability is classified under CWE-436 (Interpretation Conflict) and has been fixed in fast-uri version 3.1.2.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in fast-uri allows attackers to manipulate URLs by altering the host component through improper decoding and serialization of percent-encoded authority delimiters. This can lead to applications being redirected to unintended authorities, potentially causing unauthorized data access or redirection.
Such manipulation could impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data access and transmission. If an attacker exploits this vulnerability to redirect requests or bypass host allowlist checks, it could lead to unauthorized disclosure or modification of sensitive information, violating these regulations.
Therefore, organizations using affected versions of fast-uri should upgrade to version 3.1.2 or later to mitigate risks that could affect regulatory compliance related to data integrity and confidentiality.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate URLs in a way that bypasses host allowlist checks, redirect validations, or outbound request routing controls.
Because the URI authority can be changed during normalization, an attacker can redirect requests or traffic to unintended or malicious domains without detection.
The impact is primarily on the integrity of the applicationβs URL handling, potentially leading to security issues such as unauthorized access, phishing, or data interception.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the improper decoding and re-emission of percent-encoded authority delimiters in URIs, which can cause host confusion. Detection involves monitoring for unexpected or suspicious URI structures where an encoded at-sign (%40) or colon (%3A) in the host component is decoded and treated as a userinfo separator, potentially redirecting to an unintended host.
To detect exploitation attempts on your network or system, you can inspect logs or network traffic for URIs containing percent-encoded characters like %40 or %3A within the host component that are then interpreted differently after normalization.
Suggested commands include using network traffic analysis tools or log search commands to find such patterns. For example, using grep on server logs:
- grep -E '%40|%3A' /path/to/access.log
- Using packet capture tools like tcpdump or Wireshark to filter HTTP requests containing these encoded characters:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E '%40|%3A'
Additionally, review application logs for any unexpected redirects or host allowlist bypass attempts involving URLs with encoded delimiters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the fast-uri library to version 3.1.2 or later, where this vulnerability has been patched.
Until the update can be applied, avoid normalizing untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing to prevent attackers from exploiting the host confusion.
Review and tighten URL validation logic to ensure that percent-encoded characters in the host component are handled safely and do not alter the intended authority.
Monitor network and application logs for suspicious URL patterns as described in detection steps to identify potential exploitation attempts.