CVE-2026-6322
HIGHfast-uri vulnerable to host confusion via percent-encoded authority delimiters
Title source: cnaDescription
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
References (25)
Core 25
Core References
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:25271
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:25273
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26225
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26234
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:28571
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:29197
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30076
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-6322
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2466684
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:29795
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:29796
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:29800
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:29834
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33683
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34160
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34342
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34374
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34770
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34766
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36651
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36754
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:37385
Scores
CVSS v3
7.5
EPSS
0.0047
EPSS Percentile
37.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-140
CWE-436
Status
published
Products (4)
fast-uri/fast-uri
< 3.1.2
fast-uri/fast-uri
3.1.2
npm/fast-uri
0 - 3.1.2npm
openjsf/fast-uri
< 3.1.2
Published
May 05, 2026
Tracked Since
May 05, 2026