Description
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.
Published: 2026-03-26
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unintended Middleware Execution
Action: Patch
AI Analysis

Impact

The h3 HTTP framework uses a simple startsWith check in its mount() method to decide whether a request falls under a mounted sub‑application’s path prefix. This check does not verify that the next character after the base is a slash or the end of the string, so middleware registered on a path such as "/admin" will also run for unrelated routes such as "/admin-public", "/administrator", or "/adminstuff". The result is that an attacker can trigger context‑setting or other middleware on paths it was never intended to cover, potentially polluting the request context with unintended privilege flags.

Affected Systems

Node.js applications that import the h3 package and use the mount() feature are affected when the package version is between 2.0.0-0 and 2.0.1-rc.16 inclusive. All release candidates from rc1 through rc16 of the 2.0.1 series are listed as vulnerable. The vulnerability is fixed in version 2.0.2-rc.17 and newer.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, while an EPSS less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker sending HTTP requests to the target application and knowing or guessing a mounted path prefix. Based on the description, it is inferred that an attacker could alter request context fields, which may affect authorization decisions. The impact depends on how the application uses the context. Overall risk is moderate.

Generated by OpenCVE AI on April 1, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the h3 package to version 2.0.2‑rc.17 or newer, which implements a proper path boundary check.
  • Verify that the upgraded environment does not contain legacy mount configurations that reference older releases.
  • If an immediate upgrade is not possible, restrict access to administrative route prefixes through a reverse proxy or firewall and monitor logs for unexpected requests to those prefixes as a temporary countermeasure.

Generated by OpenCVE AI on April 1, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2j6q-whv2-gh6w h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared H3
H3 h3
CPEs cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*
Vendors & Products H3
H3 h3

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared H3js
H3js h3
Vendors & Products H3js
H3js h3

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.
Title h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Weaknesses CWE-706
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:23:39.653Z

Reserved: 2026-03-20T16:16:48.971Z

Link: CVE-2026-33490

cve-icon Vulnrichment

Updated: 2026-03-26T17:46:23.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:30.237

Modified: 2026-03-31T21:00:13.690

Link: CVE-2026-33490

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T17:19:15Z

Links: CVE-2026-33490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:35Z

Weaknesses