URL Normalization Flaw in Fast-uri Affects Applications
CVE-2026-6322

7.5HIGH

Key Information:

Vendor: Fast-uri
Status: Fast-uri
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6322?

The fast-uri library has a vulnerability that exploits a weakness in its normalize() function. It improperly decodes percent-encoded authority delimiters within the host component and then serializes them incorrectly as raw delimiters. This can allow a host to combine an approved domain with an encoded at-sign and a different domain, causing the URI's authority to be altered to an unintended target. Applications that rely on this library for normalizing untrusted URLs for host allowlist checks or redirect validation can be redirected to a different authority than intended. Users are advised to update to versions 3.1.2 or later to mitigate this issue.

Affected Version(s)

fast-uri 0 < 3.1.2

fast-uri 3.1.2

References

https://github.com/fastify/fast-uri/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Jvr

Matteo Collina

Ulises Gascón

KaKa

CVE-2026-6322 Data

JSON