CVE-2026-6322

Name of the Vulnerable Software and Affected Versions fast-uri versions prior to 3.1.2

Description The normalize() function decoded percent-encoded authority delimiters within the host component and re-emitted them as raw delimiters during serialization. This allows a host combining an allowed domain, an encoded at-sign, and a different domain to be re-emitted with the at-sign as a raw userinfo separator, effectively changing the URI's authority to the second domain. Applications that normalize untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing can be steered to an authority different from the one specified in the input.

Recommendations Update to version 3.1.2 or later.