CVE-2026-6322

Summary

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

Affected Software

VendorProductVersion RangeStatus
fast-urifast-uri0 < 3.1.2affected
fast-urifast-uri3.1.2unaffected

Weaknesses

  • CWE-436: CWE-436: Interpretation Conflict

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

fast-uri: fast-uri: URI authority bypass due to improper delimiter handling

Additional References

References