Description
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
Published: 2026-03-20
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a host header spoofing flaw in the NodeRequestUrl component of the H3 framework that allows an attacker to craft a Host header to cause the middleware path check to fail while the route handler still processes the request. This permits the bypass of authentication or authorization checks implemented in middleware, resulting in unauthorized access to protected routes. The weakness is classified as CWE‑290. No execution of arbitrary code is possible, but the effect is a privilege escalation within the application.

Affected Systems

Vulnerable versions of the H3 JavaScript framework from 2.0.0‑0 through 2.0.1‑rc.14 affect any Node.js application that uses event.url properties in middleware, including frameworks built on H3 such as Nitro or Nuxt. The affected artifacts are listed by CPE as h3 h3 2.0.0 to 2.0.1‑rc.14 for Node JavaScript.

Risk and Exploitability

The CVSS base score is 7.4, indicating high severity. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the vulnerability is not in the CISA KEV catalog. An attacker must control the Host header of an HTTP request which is typically achievable when the target is exposed to arbitrary clients, such as a public web server. The vulnerability can be exploited by sending a request with a crafted Host header that includes a path component; the framework will then process the route handler but skip the middleware guard, allowing unauthorized access.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to h3 version 2.0.1‑rc.15 or later, which contains a patch for the vulnerability.
  • If an upgrade is not immediately possible, remove any use of event.url, event.url.hostname, or event.url._url from authentication or authorization middleware, or sanitize the Host header before it is used in URL construction.
  • Implement an explicit Host header validation step to ensure the value matches the expected domain and port before using it to build URLs.
  • Monitor incoming requests for unusual Host header values and alert on repeated attempts to use malformed headers.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vj8-jmxq-cgj5 h3 has a middleware bypass with one gadget
History

Fri, 20 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared H3
H3 h3
CPEs cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*
Vendors & Products H3
H3 h3

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared H3js
H3js h3
Vendors & Products H3js
H3js h3

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
Title h3 has a middleware bypass with one gadget
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T11:25:53.880Z

Reserved: 2026-03-17T20:35:49.927Z

Link: CVE-2026-33131

cve-icon Vulnrichment

Updated: 2026-03-20T11:25:38.802Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T11:18:02.700

Modified: 2026-03-20T19:45:14.473

Link: CVE-2026-33131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:34Z

Weaknesses