CVE-2026-6322: Host Confusion via Interpretation Conflict in fast-uri

The fast-uri package, a high-performance RFC 3986 URI toolbox, contains an interpretation conflict vulnerability in versions up to and including 3.1.1. The library incorrectly handles percent-encoded authority delimiters within the host component during its normalization and parsing processes. This flaw allows attackers to submit crafted URIs that change structure after processing.

The vulnerability, tracked as CVE-2026-6322 and categorized under CWE-436, stems from a failure to maintain the structural integrity of percent-encoded data. When an application passes a malicious URI through the affected functions, the library decodes safe representations of reserved characters into active delimiters. Downstream components subsequently misinterpret the URI structure.

This issue enables host confusion attacks, which attackers leverage to bypass validation logic. Security controls relying on fast-uri to verify target domains evaluate the benign-looking pre-normalization input. The final outbound request then executes against the attacker-controlled post-normalization domain.

The root cause is a decode-then-re-encode sequence during the component normalization phase. According to RFC 3986, the authority component of a URI follows the specific format [userinfo@]host[:port]. Characters such as @ and : serve as structural boundaries separating these distinct subcomponents.

In vulnerable versions, the fast-uri parser passes the host component through decodeURIComponent() without verifying if the resulting unescaped string contains reserved delimiters. When a user supplies an input like %40 within the host string, the library greedily translates it into a literal @ character. The serializer then outputs this raw character instead of maintaining its percent-encoded form.

This transformation fundamentally alters the syntactic boundaries of the URI. When a subsequent HTTP client or validation routine parses the normalized output, it interprets the newly minted @ symbol as the end of the userinfo section rather than part of the host. The parser shifts the perceived host to whatever domain follows the injected delimiter.

The vulnerability exists in the core parsing logic of the library, specifically within the host normalization routine. In versions 3.1.1 and earlier, the index.js file executed a straightforward unescape operation on the parsed host property. The code lacked any secondary checks to ensure the unescaped output remained a structurally valid host component.

// Vulnerable implementation in fast-uri <= 3.1.1
if (parsed.host !== undefined) {
  parsed.host = unescape(parsed.host) // Decodes %40, %3A, %2F, etc.
}

The remediation implemented in commit 6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 introduces a new utility function named reescapeHostDelimiters. This function explicitly searches for decoded general delimiters (gen-delims) within the unescaped host string. If it detects these structural characters, it reverts them to their percent-encoded equivalents before finalizing the parsed object.

// Patched implementation in fast-uri 3.1.2 (lib/utils.js)
const HOST_DELIMS = { '@': '%40', '/': '%2F', '?': '%3F', '#': '%23', ':': '%3A' }
const HOST_DELIM_RE = /[@/?#:]/g
 
function reescapeHostDelimiters (host, isIP) {
  const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE
  return host.replace(re, (ch) => HOST_DELIMS[ch])
}

By re-escaping these specific characters, the library ensures the host string remains a single semantic unit. The parser correctly preserves the original intent of the encoded characters without introducing injection points into the final serialized URI. Additional strict parsing rules now track malformed states, ensuring structurally broken URIs return as original strings rather than modified payloads.

Exploiting CVE-2026-6322 requires the attacker to supply a crafted URI to an application endpoint that uses fast-uri for validation and a separate client for execution. The attacker constructs a payload targeting the host component, utilizing percent-encoding for the @ symbol (%40). An example payload is http://trusted.com%40evil.com/.

The vulnerable application receives this payload and passes it to fast-uri for normalization or evaluation against an allowlist. At this stage, fast-uri parses the host as trusted.com%40evil.com, which satisfies validation checks looking for trusted.com. The application then uses the normalized output, http://trusted.com@evil.com/, to initiate a network request.

The downstream HTTP client processes the normalized URI according to standard RFC rules. It identifies trusted.com as the authentication credential (userinfo) and targets evil.com as the actual destination server. The attacker successfully routes the request to their controlled infrastructure while bypassing the application's domain restrictions.

This exploitation methodology demands zero authentication and requires no direct user interaction. The attack functions deterministically provided the target environment exhibits the required differential parsing behavior between the validation step and the final execution step.

This vulnerability carries a CVSS v3.1 base score of 7.5, reflecting a high severity issue with a completely remote attack vector. The primary consequence is the total subversion of host-based access controls and validation mechanisms. Attackers achieve high integrity impact by manipulating the destination of outbound network traffic or altering application state logic based on domain assumptions.

The most critical operational impact is the facilitation of Server-Side Request Forgery (SSRF) and Open Redirect attacks. Applications implementing SSRF protections typically restrict outbound requests to predefined internal or external domains. By utilizing this interpretation conflict, attackers force the server to execute requests against internal services or attacker-controlled infrastructure while appearing compliant with the security policy.

Secondary impacts include potential cache poisoning or authorization bypasses if the application uses the normalized URI as a cache key or resource identifier. The vulnerability effectively breaks the assumption that the output of fast-uri.normalize() maintains the same semantic meaning as its input.

The EPSS score for this vulnerability is 0.00029, indicating a low current probability of automated exploitation in the wild. However, the theoretical attack path is highly reliable. Organizations relying on fast-uri within frameworks like Fastify must address this structural flaw to maintain the integrity of their network boundaries and trust models.

The primary and most effective remediation is upgrading the fast-uri dependency to version 3.1.2 or later. The OpenJS Foundation released this patched version concurrently with the security advisory. The update contains the necessary logic to re-escape reserved delimiters, eliminating the structural shift vulnerability entirely.

If immediate patching is unfeasible, development teams must implement strict input validation workarounds. Applications must evaluate the initial parsed output directly rather than relying on the normalize() or equal() functions. Developers should reject any URI containing percent-encoded reserved characters in the host segment prior to any processing.

Security teams should also review their architectural approach to URI handling. Using a single, standardized URI parsing library across both the validation phase and the execution phase mitigates the risk of interpretation conflicts. Ensuring exact parity between what the security control evaluates and what the network client executes is a fundamental defense against host confusion attacks.