{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fast-uri/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6322"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fast-uri (\u003c= 3.1.1)"],"_cs_severities":["high"],"_cs_tags":["host-confusion","url-parsing","fast-uri","cve-2026-6322"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003efast-uri\u003c/code\u003e library, versions 3.1.1 and earlier, is susceptible to a host confusion vulnerability. The vulnerability stems from the library\u0026rsquo;s incorrect decoding of percent-encoded authority delimiters (\u003ccode\u003e%40\u003c/code\u003e as \u003ccode\u003e@\u003c/code\u003e, \u003ccode\u003e%3A\u003c/code\u003e as \u003ccode\u003e:\u003c/code\u003e) inside the host component of a URI. This leads to the delimiters being serialized back as raw characters, effectively altering the URI structure. An attacker can exploit this by crafting a malicious URL where a hostname is converted into userinfo plus a different host. This is a critical issue because applications that rely on \u003ccode\u003efast-uri\u003c/code\u003e for URL normalization before implementing security checks like host allowlisting, redirect validation, or outbound request routing can be tricked into directing users or requests to a malicious destination. This vulnerability is identified as CVE-2026-6322.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL containing a percent-encoded authority delimiter (e.g., \u003ccode\u003e%40\u003c/code\u003e) within the host part of the URL.\u003c/li\u003e\n\u003cli\u003eThe victim application uses the vulnerable \u003ccode\u003efast-uri\u003c/code\u003e library (version 3.1.1 or earlier) to parse and normalize the crafted URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efast-uri\u003c/code\u003e decodes the percent-encoded delimiter, replacing it with its raw character equivalent (e.g., \u003ccode\u003e%40\u003c/code\u003e becomes \u003ccode\u003e@\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe normalized URL\u0026rsquo;s structure is altered, causing the host component to be misinterpreted. For example, \u003ccode\u003ehttp://trusted.com%40evil.com/\u003c/code\u003e becomes \u003ccode\u003ehttp://trusted.com@evil.com/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s security checks, such as host allowlisting or redirect validation, are performed on the modified URL.\u003c/li\u003e\n\u003cli\u003eDue to the altered host component, the security checks pass, even though the intended destination is malicious. In the example above, the host check would evaluate \u003ccode\u003eevil.com\u003c/code\u003e rather than \u003ccode\u003etrusted.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application redirects the user or routes the request to the attacker-controlled host (\u003ccode\u003eevil.com\u003c/code\u003e in the example).\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious actions, such as phishing, serving malware, or stealing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass security checks in applications that rely on the vulnerable \u003ccode\u003efast-uri\u003c/code\u003e library for URL normalization. This can lead to redirection to malicious sites, potentially affecting any application that uses the library for URL parsing and validation, including web browsers, web servers, and other network applications. The number of potential victims is dependent on the adoption rate of the vulnerable \u003ccode\u003efast-uri\u003c/code\u003e library. If exploited, the attacker could perform a wide range of malicious activities, from credential harvesting to serving malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003efast-uri\u003c/code\u003e library to version 3.1.2 or later to patch CVE-2026-6322.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect fast-uri Host Confusion Attempt\u0026rdquo; to your SIEM and tune for your environment, focusing on \u003ccode\u003ecs-uri\u003c/code\u003e containing encoded delimiters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging for cs-uri to ensure accurate detection of malicious URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T19:13:01Z","date_published":"2026-05-08T19:13:01Z","id":"/briefs/2024-01-08-fast-uri-host-confusion/","summary":"The fast-uri library is vulnerable to host confusion due to improper handling of percent-encoded authority delimiters within the host component, potentially leading to redirection to unintended authorities.","title":"fast-uri Host Confusion Vulnerability via Percent-Encoded Authority Delimiters (CVE-2026-6322)","url":"https://feed.craftedsignal.io/briefs/2024-01-08-fast-uri-host-confusion/"}],"language":"en","title":"CraftedSignal Threat Feed — Fast-Uri","version":"https://jsonfeed.org/version/1.1"}