Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on fast-uri (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.1.2.
DescriptionCVE.org
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
AnalysisAI
Authority confusion in fast-uri JavaScript library allows remote attackers to bypass URL validation security controls. The normalize() function improperly decodes percent-encoded at-signs (%40) in hostnames, then re-serializes them as raw userinfo delimiters, causing URLs like 'http://trusted.com%40evil.com' to resolve to 'evil.com' instead of 'trusted.com'. Applications using fast-uri to validate URLs against allowlists or for redirect validation can be tricked into connecting to attacker-controlled domains. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor patch released in version 3.1.2.
Technical ContextAI
This vulnerability affects the fast-uri JavaScript library (npm package), specifically the normalize() function used for URL canonicalization. The root cause is CWE-436 (Interpretation Conflict), where the same input is processed differently by sequential validation stages. RFC 3986 defines '@' as the userinfo-host separator in URIs (userinfo@host). When an encoded '@' (%40) appears within what looks like a hostname, fast-uri's normalization incorrectly decodes it during parsing but then re-emits it as a literal '@' during serialization, transforming the URI structure. The CPE identifier cpe:2.3:a:fast-uri:fast-uri:*:*:*:*:*:*:*:* confirms this is a library-level vulnerability affecting all consuming applications. This is a parser differential attack similar to SSRF and open redirect vulnerabilities, where normalization changes the semantic meaning of user-supplied URLs in security-sensitive contexts.
RemediationAI
Update fast-uri to version 3.1.2 or later, which correctly handles percent-encoded authority delimiters without re-interpreting them as structural characters. For npm-based projects, run 'npm update fast-uri' or update package.json to specify '"fast-uri": "^3.1.2"' and reinstall dependencies. Vendor advisory at https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc confirms the fix. If immediate upgrade is not feasible, implement these compensating controls: (1) perform allowlist validation on raw URLs BEFORE normalization to prevent interpretation differences, (2) reject any URLs containing percent-encoded characters in the authority component (%40, %2F, %3A, %23, %3F) before passing to fast-uri, or (3) use alternative URL parsing libraries like Node.js native URL API for security-critical validation. Trade-off: Pre-normalization validation may reject some legitimate edge-case URLs but prevents parser confusion attacks. Do NOT rely solely on post-normalization validation for security decisions when using versions <=3.1.1.
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls
Host-based security policy bypass in the fast-uri Node.js URI parser (versions 2.3.1 through 3.1.2 and 4.0.0) lets remot
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27248
GHSA-v39h-62p7-jpjc