fast-uri, Host Confusion, CVE-2026-6322 (High)

By /

Listen to this Post

The CVE exploits how fast-uri‘s `normalize()` function decodes percent-encoded authority delimiters inside the host component and then re‑emits them as raw delimiters during serialization. Specifically, sequences like `%40` (which decodes to @) and `%3A` (which decodes to :) are interpreted as userinfo separators after normalization.
1. An attacker crafts a URI such as http://trusted.com%40evil.com/`.
2. The `normalize()` function decodes `%40` to@, turning the host into[email protected].
3. When the URI is re‑parsed, `trusted.com` becomes the userinfo (username) and `evil.com` becomes the actual host.
4. This changes the effective authority from what the original URL appeared to contain.
5. Applications that rely on `normalize()` before performing host‑allowlist checks, redirect validation, or outbound routing decisions can be misled.
6. The attacker can cause the application to communicate with an unintended host (e.g.,evil.com`) instead of the trusted one.
7. No re‑encoding of the delimiters occurs, so the misinterpretation is permanent.
8. The vulnerability exists in all `fast-uri` versions up to and including 3.1.1.
9. It is classified as an interpretation conflict (CWE‑436).
10. The flaw is automatable and requires no special privileges to exploit.

dailycve form

Platform: fast-uri
Version: v3.1.1 and earlier
Vulnerability: Host Confusion
Severity: High
date: 2026-05-05

Prediction: 2026-05-05

What Undercode Say:

Simulate the normalization flaw using the fast-uri package
const { normalize } = require('fast-uri');
const malicious = 'http://trusted.com%40evil.com/';
const normalized = normalize(malicious);
console.log(normalized); // http://[email protected]/

Exploit:

GET http://trusted.com%40evil.com/ HTTP/1.1
Host: trusted.com%40evil.com

Protection from this CVE:

npm install [email protected]

Impact:

Host‑allowlist bypass, redirect validation evasion, and outbound request routing to attacker‑controlled origins.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top