CVE-2026-6322: Host Confusion via Interpretation Conflict in fast-uri
Vulnerability ID: CVE-2026-6322
CVSS Score: 7.5
Published: 2026-05-08
The fast-uri library exhibits an interpretation conflict vulnerability due to improper handling of percent-encoded authority delimiters during normalization. This flaw enables attackers to bypass domain validation and perform host confusion attacks against downstream components.
TL;DR
fast-uri <= 3.1.1 improperly decodes percent-encoded delimiters (like %40) in the host component without re-encoding them, causing downstream parsers to misinterpret the URI structure. Upgrading to 3.1.2 resolves the issue.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-436
- Attack Vector: Network
- CVSS v3.1: 7.5 (High)
- EPSS Score: 0.00029
- Impact: Integrity Subversion / SSRF Bypass
- Exploit Status: Proof of Concept
- CISA KEV: Not Listed
Affected Systems
- fast-uri
-
fast-uri: <= 3.1.1 (Fixed in:
3.1.2)
Code Analysis
Commit: 6c86c17
Re-escape gen-delims in host
Commit: 919dd8e
Version 3.1.2 Bump
Exploit Details
- GitHub Advisory: Technical root cause and reproduction steps mapping the SSRF bypass payload.
Mitigation Strategies
- Upgrade fast-uri to version 3.1.2 or later.
- Implement robust pre-validation checks rejecting URIs with percent-encoded reserved characters in the host.
- Unify URI parsing logic to use the exact same library for both security validation and request execution.
Remediation Steps:
- Identify all projects depending on fast-uri via package-lock.json or yarn.lock.
- Execute the package manager update command targeting fast-uri@3.1.2.
- Run regression tests on URI parsing and normalization workflows.
- Deploy the updated application build to production environments.
References
- GitHub Security Advisory (GHSA-v39h-62p7-jpjc)
- Fix Commit: Re-escape gen-delims in host
- Fix Commit: Version 3.1.2 Bump
- OpenJS Foundation Security Advisories
- CVE.org Record
Read the full report for CVE-2026-6322 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)