Home

Description

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-05 | Updated 2026-05-05 | Assigner openjs




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-436: Interpretation Conflict

Product status

Default status
unaffected

Any version before 3.1.2
affected

3.1.2 (semver)
unaffected

Credits

Jvr reporter

Matteo Collina remediation developer

Ulises Gascón remediation developer

KaKa remediation reviewer

References

github.com/...st-uri/security/advisories/GHSA-v39h-62p7-jpjc

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-6322)

nvd.nist.gov (CVE-2026-6322)

Download JSON