Fluid Attacks Database

Description

fast-uri vulnerable to host confusion via percent-encoded authority delimiters

Impact

fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters (%40 as @, %3A as :) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.

For example, http://trusted.com%40evil.com/ normalizes to http://[email protected]/, which reparses as host evil.com with userinfo trusted.com.

Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.

Patches

Upgrade to fast-uri >= 3.1.2.

Workarounds

None. Upgrade to the patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-ajv	=6.12.6-2 \|\| =6.12.6-3 \|\| =8.11.2~ds+~2.1.1-1 \|\| =8.12.0~ds+~2.1.1-1 \|\| =8.12.0~ds+~2.1.1-2 \|\| =8.12.0~ds+~2.1.1-3 \|\| =8.12.0~ds+~2.1.1-4 \|\| =8.12.0~ds+~2.1.1-5 \|\| =8.17.1~ds+~3.0.1+~3.1.0-1 \|\| =8.17.1~ds+~3.0.1+~3.1.0-2 \|\| =8.17.1~ds+~3.0.1+~3.1.0-3 \|\| =8.17.1~ds+~3.0.1+~3.1.0-4 \|\| =8.18.0~ds+~cs6.1.1-1 \|\| =8.18.0~ds+~cs6.1.1-2 \|\| =8.8.2~ds+~2.1.1-1	-
debian 12	node-ajv	=6.12.6-3 \|\| =8.11.2~ds+~2.1.1-1 \|\| =8.12.0~ds+~2.1.1-1 \|\| =8.12.0~ds+~2.1.1-2 \|\| =8.12.0~ds+~2.1.1-3 \|\| =8.12.0~ds+~2.1.1-4 \|\| =8.12.0~ds+~2.1.1-5 \|\| =8.17.1~ds+~3.0.1+~3.1.0-1 \|\| =8.17.1~ds+~3.0.1+~3.1.0-2 \|\| =8.17.1~ds+~3.0.1+~3.1.0-3 \|\| =8.17.1~ds+~3.0.1+~3.1.0-4 \|\| =8.18.0~ds+~cs6.1.1-1 \|\| =8.18.0~ds+~cs6.1.1-2 \|\| =8.8.2~ds+~2.1.1-1	-
debian 13	node-ajv	=8.12.0~ds+~2.1.1-5 \|\| =8.17.1~ds+~3.0.1+~3.1.0-1 \|\| =8.17.1~ds+~3.0.1+~3.1.0-2 \|\| =8.17.1~ds+~3.0.1+~3.1.0-3 \|\| =8.17.1~ds+~3.0.1+~3.1.0-4 \|\| =8.18.0~ds+~cs6.1.1-1 \|\| =8.18.0~ds+~cs6.1.1-2	-
debian 14	node-ajv	=8.12.0~ds+~2.1.1-5 \|\| =8.17.1~ds+~3.0.1+~3.1.0-1 \|\| =8.17.1~ds+~3.0.1+~3.1.0-2 \|\| =8.17.1~ds+~3.0.1+~3.1.0-3 \|\| =8.17.1~ds+~3.0.1+~3.1.0-4 \|\| =8.18.0~ds+~cs6.1.1-1 \|\| =8.18.0~ds+~cs6.1.1-2	-
npm	fast-uri	>=0 <3.1.2	3.1.2

Aliases

1. CVE-2026-63222. NVD-2026-63223. OSV-DEBIAN-2026-63224. OSV-2026-63225. GHSA-v39h-62p7-jpjc6. GCVE-2026-63227. SECURITY-TRACKER-CVE-2026-6322

References

1. https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc2. https://cna.openjsf.org/security-advisories.html