CVE-2026-6322 Overview
CVE-2026-6322 is a URL parsing vulnerability in the fast-uri Node.js library, maintained under the Fastify project at the OpenJS Foundation. The normalize() function decodes percent-encoded authority delimiters inside the host component and re-emits them as raw delimiters during serialization. An attacker can craft a host that combines an allowed domain, an encoded at-sign (%40), and a different domain. After normalization, the at-sign becomes a raw userinfo separator, shifting the URI authority to the second domain. Versions <= 3.1.1 are affected, and the issue is fixed in 3.1.2. The flaw is classified under [CWE-436] Interpretation Conflict.
Critical Impact
Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appears to specify, enabling Server-Side Request Forgery (SSRF) and open-redirect attacks.
Affected Products
- fast-uri versions <= 3.1.1
- Fastify applications and plugins that depend on fast-uri for URL normalization
- Downstream Node.js services using fast-uri for host allowlist or redirect validation
Discovery Timeline
- 2026-05-05 - CVE-2026-6322 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-6322
Vulnerability Analysis
The fast-uri library exposes a normalize() function used to canonicalize URI strings before downstream validation. The function applies percent-decoding to characters inside the host component without re-checking whether the decoded characters carry structural meaning in the authority grammar defined by RFC 3986. When the decoded byte is the at-sign (@), it acts as a separator between userinfo and host. The serializer then writes the decoded character back as a raw delimiter, producing a URI whose host differs from the host present in the input string.
A validator that parses the original input, confirms the host matches an allowlist, and then passes the normalized URI to an HTTP client will route the request to an attacker-controlled host. The library itself does not execute the request, but the parser/serializer mismatch corrupts every consumer that trusts the normalized output.
Root Cause
The root cause is an interpretation conflict between the parser and the serializer. The parser treats %40 inside the host as data, but the serializer treats the decoded @ as a structural delimiter. Authority-significant characters must remain percent-encoded after normalization or be rejected outright. The fix in 3.1.2 preserves the encoding so that the host segment cannot be reinterpreted as userinfo@host.
Attack Vector
An attacker submits a URL such as https://allowed.example.com%40attacker.example/path to an application that calls fastUri.normalize() before performing a host check or initiating an outbound request. The pre-normalization host appears to begin with allowed.example.com, satisfying naive allowlist logic. After normalization, the URI authority becomes attacker.example, and the request, redirect, or webhook is delivered to the attacker. The attack requires no authentication, no user interaction, and is delivered over the network.
No verified public proof-of-concept code is available. Refer to GitHub Security Advisory GHSA-v39h-62p7-jpjc for the maintainer's technical write-up.
Detection Methods for CVE-2026-6322
Indicators of Compromise
- Outbound HTTP requests to unexpected hosts originating from services that proxy, fetch, or validate user-supplied URLs.
- Application logs containing input URLs with %40 or other percent-encoded reserved characters (%23, %2F, %3F) inside the host segment.
- Redirect responses where the Location header host does not match the host that passed allowlist validation.
Detection Strategies
- Inventory package-lock.json and yarn.lock files across repositories and build artifacts for fast-uri versions <= 3.1.1, including transitive dependencies pulled in by Fastify plugins.
- Add a runtime assertion that compares the host extracted before and after normalize() and alerts when the values differ.
- Apply web application firewall (WAF) rules that block inbound URLs containing percent-encoded @, /, ?, or # inside the host portion of any user-controlled URL parameter.
Monitoring Recommendations
- Forward outbound HTTP egress logs from URL-fetching services into a SIEM and correlate destination hosts against the application's documented allowlist.
- Monitor Software Composition Analysis (SCA) findings for GHSA-v39h-62p7-jpjc and track remediation across all repositories.
- Alert on Node.js process telemetry that shows new outbound connections to domains never observed in baseline traffic.
How to Mitigate CVE-2026-6322
Immediate Actions Required
- Upgrade fast-uri to version 3.1.2 or later in every direct and transitive dependency path.
- Rebuild and redeploy all Node.js services, container images, and serverless bundles that ship fast-uri.
- Audit code paths that call normalize() followed by host allowlist checks, redirect validation, or outbound request routing.
Patch Information
The maintainers released fast-uri3.1.2, which preserves percent-encoded authority delimiters during normalization. Details are documented in GitHub Security Advisory GHSA-v39h-62p7-jpjc and the OpenJS Foundation Security Advisories. Update the dependency entry in package.json and run npm audit fix or yarn upgrade fast-uri to pull the corrected release.
Workarounds
- Reject input URLs whose host segment contains any percent-encoded character before passing them to normalize().
- Perform host allowlist checks against the URL parsed by the WHATWG URL constructor rather than against fast-uri output.
- Resolve the final destination host after normalization and re-validate it against the allowlist immediately before issuing the outbound request.
# Configuration example
npm install fast-uri@^3.1.2
npm ls fast-uri
npm audit --audit-level=high
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
