Skip to main content

fast-uri CVE-2026-6322

| EUVDEUVD-2026-27248 HIGH
Interpretation Conflict (CWE-436)
2026-05-05 openjs GHSA-v39h-62p7-jpjc
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 12:01 EUVD
Analysis Generated
May 05, 2026 - 11:15 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on fast-uri (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.1.2.

DescriptionCVE.org

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

AnalysisAI

Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. Applications using fast-uri to validate URLs against allowlists or for redirect validation can be tricked into connecting to attacker-controlled domains. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor patch released in version 3.1.2.

Technical ContextAI

This vulnerability affects the fast-uri JavaScript library (npm package), specifically the normalize() function used for URL canonicalization. The root cause is CWE-436 (Interpretation Conflict), where the same input is processed differently by sequential validation stages. RFC 3986 defines '@' as the userinfo-host separator in URIs (userinfo@host). When an encoded '@' (%40) appears within what looks like a hostname, fast-uri's normalization incorrectly decodes it during parsing but then re-emits it as a literal '@' during serialization, transforming the URI structure. The CPE identifier cpe:2.3:a:fast-uri:fast-uri:*:*:*:*:*:*:*:* confirms this is a library-level vulnerability affecting all consuming applications. This is a parser differential attack similar to SSRF and open redirect vulnerabilities, where normalization changes the semantic meaning of user-supplied URLs in security-sensitive contexts.

RemediationAI

Update fast-uri to version 3.1.2 or later, which correctly handles percent-encoded authority delimiters without re-interpreting them as structural characters. For npm-based projects, run 'npm update fast-uri' or update package.json to specify '"fast-uri": "^3.1.2"' and reinstall dependencies. Vendor advisory at https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc confirms the fix. If immediate upgrade is not feasible, implement these compensating controls: (1) perform allowlist validation on raw URLs BEFORE normalization to prevent interpretation differences, (2) reject any URLs containing percent-encoded characters in the authority component (%40, %2F, %3A, %23, %3F) before passing to fast-uri, or (3) use alternative URL parsing libraries like Node.js native URL API for security-critical validation. Trade-off: Pre-normalization validation may reject some legitimate edge-case URLs but prevents parser confusion attacks. Do NOT rely solely on post-normalization validation for security decisions when using versions <=3.1.1.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected

Share

CVE-2026-6322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy