Impact
fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters (%40 as @, %3A as :) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.
For example, http://trusted.com%40evil.com/ normalizes to http://trusted.com@evil.com/, which reparses as host evil.com with userinfo trusted.com.
Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.
Patches
Upgrade to fast-uri >= 3.1.2.
Workarounds
None. Upgrade to the patched version.
Jvr2022 Reporter
mcollina Remediation developer
UlisesGascon Remediation developer
climba03003 Remediation reviewer
Impact
fast-uriv3.1.1 and earlier decodes percent-encoded authority delimiters (%40as@,%3Aas:) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.For example,
http://trusted.com%40evil.com/normalizes tohttp://trusted.com@evil.com/, which reparses as hostevil.comwith userinfotrusted.com.Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.
Patches
Upgrade to
fast-uri>= 3.1.2.Workarounds
None. Upgrade to the patched version.