Sign In

CVE-2026-6322

ADVISORY - github

Summary

Impact

fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters (%40 as @, %3A as :) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.

For example, http://trusted.com%40evil.com/ normalizes to http://trusted.com@evil.com/, which reparses as host evil.com with userinfo trusted.com.

Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.

Patches

Upgrade to fast-uri >= 3.1.2.

Workarounds

None. Upgrade to the patched version.

EPSS Score: 0.00011 (0.015)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-436

Interpretation Conflict

ADVISORY - github

CWE-436

Interpretation Conflict

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in