fast-uri Host Confusion Vulnerability via Percent-Encoded Authority Delimiters
Vulnerability
A vulnerability in fast-uri versions through 3.1.1 allows for host confusion by improperly handling percent-encoded authority delimiters in the host component of a URI. The library decodes these delimiters and re-emits them as raw characters during serialization, which can alter the perceived authority of the URI. This issue can be exploited in applications that normalize untrusted URLs before performing host allowlist checks, redirect validation, or outbound request routing, potentially leading to unintended consequences by directing requests to a different authority than originally specified.
Impact
Exploitation of this vulnerability can cause a high integrity impact by misleading applications about the true destination of a URL, allowing for unauthorized redirections or request routing.
Remediation
Users are advised to upgrade to fast-uri version 3.1.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.