CVE-2026-6322

CVE-2026-6322 is a vulnerability in the fast-uri JavaScript library's normalize() function, which incorrectly decodes percent-encoded authority delimiters within the host component and re-emits them as raw delimiters during serialization. This affects versions of fast-uri up to and including 3.1.1. Specifically, a maliciously crafted host combining an allowed domain, an encoded at-sign (@), and a different domain results in the normalized URI re-emitting the at-sign as a raw userinfo separator, effectively altering the URI's authority to the second domain. The issue is classified under CWE-436 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Attackers can exploit this vulnerability remotely without authentication by supplying untrusted URLs to applications that invoke fast-uri's normalize() prior to performing host allowlist checks, redirect validation, or outbound request routing. Successful exploitation steers the application to a different authority than intended, potentially enabling open redirects, SSRF, or unintended network requests to attacker-controlled hosts.

Advisories from the OpenJS Foundation CNA and the fast-uri GitHub security advisory (GHSA-v39h-62p7-jpjc) recommend updating to fast-uri version 3.1.2 or later, where the normalization logic has been corrected to prevent decoding and re-emission of these delimiters in the host component.