36 matches found
CVE-2026-33490
A flaw was found in H3, a minimal HTTP framework. The mount method, responsible for routing requests to sub-applications, incorrectly uses a simple string comparison to check path prefixes. This allows a remote attacker to craft a URL that bypasses the intended path segment boundary. Consequently...
CVE-2026-33490
H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...
CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...
CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...
CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...
CVE-2026-33490
The connected document provides concrete details for CVE-2026-33490: a missing path-segment boundary check in the h3 library allows a mounted sub-app at a base path (e.g., /admin) to leak middleware-induced context (such as isAdmin) to unrelated routes that merely share the string prefix (e.g., /...
H3 安全漏洞
H3 is an open-source HTTP framework developed by H3. Versions of H3 prior to 2.0.2-rc.17 contained security vulnerabilities. These vulnerabilities stemmed from the use of the startsWith method for checking paths, without verifying the boundaries of path segments. This could lead to middleware...
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...
GHSA-FP4X-GGRF-WMC6 H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...
Allocation of Resources Without Limits or Throttling
Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the getChunkedCookieCount function. An attacker can cause the server to enter an inefficient cleanup...
Directory Traversal
Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Directory Traversal via the serveStatic utility. An attacker can access arbitrary files from backend storage by sending specially crafted requests containing...
CVE-2026-33129
A flaw was found in H3, a minimal HTTP framework. A remote attacker can exploit a Timing Side-Channel vulnerability in the requireBasicAuth function. This vulnerability arises from the use of an unsafe string comparison, allowing the attacker to deduce valid passwords character-by-character by...
CVE-2026-33131
A flaw was found in H3, a minimal HTTP framework. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler befor...
CVE-2026-33128
A flaw was found in H3, a minimal HTTP framework. A remote attacker can exploit this flaw by injecting malicious Server-Sent Events SSE due to improper sanitization of newline characters in the formatEventStreamMessage and formatEventStreamComment functions. An attacker who controls any part of a...
CVE-2026-33131
H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...
CVE-2026-33131 h3 has a middleware bypass with one gadget
H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...
CVE-2026-33131
H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...
CVE-2026-33131 h3 has a middleware bypass with one gadget
H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...
CVE-2026-33131
CVE-2026-33131 affects H3, a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 expose a Host header spoofing flaw in the NodeRequestUrl/FastURL path, enabling middleware bypass when an attacker manipulates event.url properties (e.g., via Host header) so route matching succeeds but auth...
CVE-2026-33131 h3 has a middleware bypass with one gadget
H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...