FKIE_CVE-2026-33131

Vulnerability from fkie_nvd - Published: 2026-03-20 11:18 - Updated: 2026-03-20 19:45
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
References
security-advisories@github.comhttps://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5Exploit, Vendor Advisory
Impacted products
Vendor Product Version
h3 h3 2.0.0
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*",
              "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*",
              "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*",
              "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*",
              "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*",
              "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*",
              "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*",
              "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*",
              "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*",
              "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*",
              "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*",
              "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3\u0027s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.0-0 hasta 2.0.1-rc.14 contienen una vulnerabilidad de suplantaci\u00f3n de encabezado Host en NodeRequestUrl (que extiende FastURL) que permite el bypass de middleware. Cuando se accede a event.url, event.url.hostname, o event.url._url, como en un middleware de registro, el gestor de acceso _url construye una URL a partir de datos no confiables, incluyendo el encabezado Host controlado por el usuario. Debido a que el router de H3 resuelve el gestor de ruta antes de que se ejecute el middleware, un atacante puede proporcionar un encabezado Host manipulado (p. ej., Host: localhost:3000/abchehe?) para hacer que la verificaci\u00f3n de ruta del middleware falle mientras el gestor de ruta a\u00fan coincide, eludiendo efectivamente el middleware de autenticaci\u00f3n o autorizaci\u00f3n. Esto afecta a cualquier aplicaci\u00f3n construida sobre H3 (incluyendo Nitro/Nuxt) que acceda a las propiedades de event.url en middleware que protege rutas sensibles. El problema requiere una soluci\u00f3n inmediata para evitar que FastURL.href se construya con entrada no saneada y controlada por el atacante. La versi\u00f3n 2.0.1-rc.15 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2026-33131",
  "lastModified": "2026-03-20T19:45:14.473",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-20T11:18:02.700",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.