CVE-2026-6322: fast-uri vulnerable to host confusion via percent-encoded authority delimiters

Published May 5, 2026
·
Updated

Impact

fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters (%40 as @, %3A as :) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.

For example, http://trusted.com%40evil.com/ normalizes to http://trusted.com@evil.com/, which reparses as host evil.com with userinfo trusted.com.

Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.

Patches

Upgrade to fast-uri >= 3.1.2.

Workarounds

None. Upgrade to the patched version.

Other sources

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

MITRE

Affected Software

3 affected componentsFixes available
npm/fast-uri<=3.1.1
npm/fast-uri<=3.1.1
3.1.2
Openjsf Fast-uri Node.js<3.1.2

Event History

May 5, 2026
CVE Published
via MITRE·10:29 AM
Data Sourced
via MITRE·10:29 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·11:16 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·11:16 AM
Affected Software
May 8, 2026
Advisory Published
via GitHub·07:13 PM
Data Sourced
via GitHub·07:13 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-6322?

CVE-2026-6322 is considered a medium severity vulnerability due to potential exploitation leading to host confusion.

2

How do I fix CVE-2026-6322?

To mitigate CVE-2026-6322, update the fast-uri package to version 3.1.2 or later.

3

What software is affected by CVE-2026-6322?

CVE-2026-6322 affects the fast-uri package versions up to and including 3.1.1.

4

What types of vulnerabilities does CVE-2026-6322 represent?

CVE-2026-6322 represents a host confusion vulnerability due to improper handling of percent-encoded authority delimiters.

5

Is there an exploit available for CVE-2026-6322?

As of now, there are no public exploits reported for CVE-2026-6322, but the vulnerability itself poses risks that should be addressed.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203