CVE-2026-6322
Awaiting Analysis Awaiting Analysis - Queue
fast-uri normalize() Authority Manipulation in Host Component

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: openjs

Description
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6322
EUVD
EUVD-2026-27248
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fastify fast-uri to 3.1.2 (exc)
fastify fast-uri 3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in fast-uri allows attackers to manipulate URLs by altering the host component through improper decoding and serialization of percent-encoded authority delimiters. This can lead to applications being redirected to unintended authorities, potentially causing unauthorized data access or redirection.

Such manipulation could impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data access and transmission. If an attacker exploits this vulnerability to redirect requests or bypass host allowlist checks, it could lead to unauthorized disclosure or modification of sensitive information, violating these regulations.

Therefore, organizations using affected versions of fast-uri should upgrade to version 3.1.2 or later to mitigate risks that could affect regulatory compliance related to data integrity and confidentiality.

Executive Summary

The vulnerability in fast-uri versions 3.1.1 and earlier involves improper handling of percent-encoded authority delimiters within the host component of a URI. Specifically, the library decodes encoded characters like %40 (which represents the @ symbol) and then re-emits them as raw characters during serialization. This causes the URI's authority section to be altered, turning what was originally a hostname into a userinfo part followed by a different host.

As a result, applications that normalize untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing can be tricked into interpreting the URL as pointing to a different authority than intended.

This vulnerability is classified under CWE-436 (Interpretation Conflict) and has been fixed in fast-uri version 3.1.2.

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate URLs in a way that bypasses host allowlist checks, redirect validations, or outbound request routing controls.

Because the URI authority can be changed during normalization, an attacker can redirect requests or traffic to unintended or malicious domains without detection.

The impact is primarily on the integrity of the application’s URL handling, potentially leading to security issues such as unauthorized access, phishing, or data interception.

Detection Guidance

This vulnerability involves the improper decoding and re-emission of percent-encoded authority delimiters in URIs, which can cause host confusion. Detection involves monitoring for unexpected or suspicious URI structures where an encoded at-sign (%40) or colon (%3A) in the host component is decoded and treated as a userinfo separator, potentially redirecting to an unintended host.

To detect exploitation attempts on your network or system, you can inspect logs or network traffic for URIs containing percent-encoded characters like %40 or %3A within the host component that are then interpreted differently after normalization.

Suggested commands include using network traffic analysis tools or log search commands to find such patterns. For example, using grep on server logs:

  • grep -E '%40|%3A' /path/to/access.log
  • Using packet capture tools like tcpdump or Wireshark to filter HTTP requests containing these encoded characters:
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E '%40|%3A'

Additionally, review application logs for any unexpected redirects or host allowlist bypass attempts involving URLs with encoded delimiters.

Mitigation Strategies

The primary mitigation step is to update the fast-uri library to version 3.1.2 or later, where this vulnerability has been patched.

Until the update can be applied, avoid normalizing untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing to prevent attackers from exploiting the host confusion.

Review and tighten URL validation logic to ensure that percent-encoded characters in the host component are handled safely and do not alter the intended authority.

Monitor network and application logs for suspicious URL patterns as described in detection steps to identify potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart