fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The fast-uri library's normalize() function contains a critical flaw where percent-encoded authority delimiters (specifically the at-sign character, %40) within the host component are decoded during normalization but then re-emitted as raw delimiters during serialization. This transforms a carefully crafted URI like "https://allowed-domain.com%40attacker.com" into "https://allowed-domain.com@attacker.com", fundamentally changing the authority structure. The second domain now becomes the actual host, while the first becomes userinfo credentials. This vulnerability directly impacts applications performing host allowlist validation, redirect URL verification, or outbound request routing against normalized URIs—attackers can bypass these security controls by encoding delimiters that get decoded at the wrong stage of processing, causing the application to route requests to unintended destinations while security checks see an approved domain.
Casky's extended reasoning across 754 security skills enables practitioners to identify attack patterns associated with this vulnerability by analyzing URI manipulation and host validation logic flows. While this specific CVE maps to CWE-436 (Incorrect Parsing) rather than discrete MITRE ATT&CK techniques, practitioners using Casky would detect suspicious findings around URL normalization libraries, inconsistent authority parsing between validation and execution layers, and encoding/decoding mismatches in web routing logic. Security teams would see alerts flagging applications that normalize URLs before performing host validation checks, particularly those using vulnerable versions of fast-uri, combined with skill-based detection of request routing anomalies where the parsed host differs from the validated host—a classic indicator of parser-based access control bypass attempts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-6322. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation