CVE-2026-6322

NameCVE-2026-6322
Descriptionfast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135998

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ajv (PTS)bullseye6.12.6-2fixed
bookworm6.12.6-3vulnerable
trixie8.12.0~ds+~2.1.1-5vulnerable
forky, sid8.20.0~ds+~cs6.1.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ajvsourcebullseye(not affected)
node-ajvsource(unstable)8.20.0~ds+~cs6.1.3-11135998

Notes

[trixie] - node-ajv <no-dsa> (Minor issue)
[bookworm] - node-ajv <no-dsa> (Minor issue)
[bullseye] - node-ajv <not-affected> (fast-uri not provided)
https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2)
Embedded fast-uri used and provided as node-fast-uri, starting with forky
Search for package or bug name: Reporting problems