Description

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

INFO

Published Date :

2026-05-05T10:29:16.378Z

Last Modified :

2026-05-05T12:55:43.750Z

Source :

openjs
AFFECTED PRODUCTS

The following products are affected by CVE-2026-6322 vulnerability.

Vendors Products
Fast-uri
  • Fast-uri
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-6322.

URL Resource
https://cna.openjsf.org/security-advisories.html cve-icon cve-icon
https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact