CVE-2026-6322
Origin Validation Error vulnerability in fast-uri (npm)
What is CVE-2026-6322 About?
This vulnerability in `fast-uri` decodes percent-encoded authority delimiters within the host component and serializes them in a raw format, altering the URI structure. This can lead to applications trusting a different host than intended, potentially allowing for redirection to malicious sites or bypassing host allowlist checks. Exploitation is straightforward, relying on specially crafted URIs.
Affected Software
Technical Details
The fast-uri library, specifically versions 3.1.1 and earlier, incorrectly handles percent-encoded characters that represent authority delimiters (like %40 for @ and %3A for :) within the host component of a URI. Instead of preserving their encoded state or properly normalizing the URL, the library decodes these characters and re-serializes them as raw characters. For example, http://trusted.com%40evil.com/ is normalized to http://trusted.com@evil.com/. When this modified URI is re-parsed, the trusted.com part is interpreted as userinfo, and evil.com becomes the new host. This structural change can trick applications that perform host allowlist checks, redirect validation, or outbound request routing based on the initially perceived host, causing them to communicate with an attacker-controlled domain instead of the legitimate one.
What is the Impact of CVE-2026-6322?
Successful exploitation may allow attackers to redirect users or application requests to malicious external sites, bypass security controls such as host allowlisting, or facilitate phishing attacks by visually spoofing trusted domains.
What is the Exploitability of CVE-2026-6322?
Exploitation is of low complexity and requires no authentication or specific privileges beyond the ability to provide a crafted URI to an application using the vulnerable fast-uri library. The attack is remote, as the malicious URI can be distributed to victims or supplied to web applications. There are no special conditions or constraints other than the target application's reliance on fast-uri for URI parsing before security checks. The risk is particularly high for applications that validate URLs for redirects, allowlisting, or proxying, as they may be tricked into interacting with unintended origins.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-6322?
Available Upgrade Options
- fast-uri
- <3.1.2 → Upgrade to 3.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
- https://cna.openjsf.org/security-advisories.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-6322
- https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
- https://cna.openjsf.org/security-advisories.html
- https://osv.dev/vulnerability/GHSA-v39h-62p7-jpjc
- https://github.com/fastify/fast-uri
What are Similar Vulnerabilities to CVE-2026-6322?
Similar Vulnerabilities: CVE-2021-36195 , CVE-2022-26336 , CVE-2023-23910 , CVE-2023-38545 , CVE-2023-38408
