FKIE_CVE-2026-33490

Vulnerability from fkie_nvd - Published: 2026-03-26 18:16 - Updated: 2026-03-31 21:00
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.
References
security-advisories@github.comhttps://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6wExploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6wExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*",
              "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*",
              "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*",
              "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*",
              "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*",
              "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*",
              "matchCriteriaId": "5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*",
              "matchCriteriaId": "281715D9-6C86-4D4E-9833-C18A8CABD05A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*",
              "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*",
              "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*",
              "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*",
              "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*",
              "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*",
              "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*",
              "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*",
              "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application\u0027s path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."
    },
    {
      "lang": "es",
      "value": "H3 es un framework H(TTP) m\u00ednimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el m\u00e9todo \u0027mount()\u0027 en h3 usa una simple verificaci\u00f3n \u0027startsWith()\u0027 para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicaci\u00f3n montada. Debido a que esta verificaci\u00f3n no verifica un l\u00edmite de segmento de ruta (es decir, que el siguiente car\u00e1cter despu\u00e9s de la base es \u0027/\u0027 o el final de la cadena), el middleware registrado en un montaje como \u0027/admin\u0027 tambi\u00e9n se ejecutar\u00e1 para rutas no relacionadas como \u0027/admin-public\u0027, \u0027/administrator\u0027 o \u0027/adminstuff\u0027. Esto permite a un atacante activar middleware de configuraci\u00f3n de contexto en rutas que nunca se pretendi\u00f3 cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versi\u00f3n 2.0.2-rc.17 contiene un parche."
    }
  ],
  "id": "CVE-2026-33490",
  "lastModified": "2026-03-31T21:00:13.690",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-26T18:16:30.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-706"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.