CVE-2026-6322 Affecting serve package, versions <14.2.6-r3


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.48% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-SERVE-17672101
  • published29 Jun 2026
  • disclosed5 May 2026

Introduced: 5 May 2026

CVE-2026-6322  (opens in a new tab)

How to fix?

Upgrade Wolfi serve to version 14.2.6-r3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream serve package and not the serve package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.

CVSS Base Scores

version 3.1