{"uuid": "6f08764d-714c-4975-88ef-e6cf7e51386c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-v39h-62p7-jpjc", "type": "seen", "source": "https://gist.github.com/alon710/5589e0b554769b0725c771aeba30c7e4", "content": "# CVE-2026-6322: CVE-2026-6322: Host Confusion via Interpretation Conflict in fast-uri\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-6322\n\n## Summary\nThe fast-uri library exhibits an interpretation conflict vulnerability due to improper handling of percent-encoded authority delimiters during normalization. This flaw enables attackers to bypass domain validation and perform host confusion attacks against downstream components.\n\n## TL;DR\nfast-uri <= 3.1.1 improperly decodes percent-encoded delimiters (like %40) in the host component without re-encoding them, causing downstream parsers to misinterpret the URI structure. Upgrading to 3.1.2 resolves the issue.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-436\n- **Attack Vector**: Network\n- **CVSS v3.1**: 7.5 (High)\n- **EPSS Score**: 0.00029\n- **Impact**: Integrity Subversion / SSRF Bypass\n- **Exploit Status**: Proof of Concept\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- fast-uri\n- **fast-uri**: <= 3.1.1 (Fixed in: `3.1.2`)\n\n## Mitigation\n\n- Upgrade fast-uri to version 3.1.2 or later.\n- Implement robust pre-validation checks rejecting URIs with percent-encoded reserved characters in the host.\n- Unify URI parsing logic to use the exact same library for both security validation and request execution.\n\n**Remediation Steps:**\n1. Identify all projects depending on fast-uri via package-lock.json or yarn.lock.\n2. Execute the package manager update command targeting fast-uri@3.1.2.\n3. Run regression tests on URI parsing and normalization workflows.\n4. Deploy the updated application build to production environments.\n\n## References\n\n- [GitHub Security Advisory (GHSA-v39h-62p7-jpjc)](https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc)\n- [Fix Commit: Re-escape gen-delims in host](https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293)\n- [Fix Commit: Version 3.1.2 Bump](https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-6322)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-6322) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T19:40:29.000000Z"}