High severity8.9NVD Advisory· Published Jan 15, 2026· Updated Apr 13, 2026
CVE-2026-23527
CVE-2026-23527
Description
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h3npm | < 1.15.5 | 1.15.5 |
Patches
1618ccf4f37b8fix(readRawBody): fix case-sensitive `Transfer-Encoding` check causing request smuggling risk
2 files changed · +39 −5
src/utils/body.ts+3 −5 modified@@ -109,11 +109,9 @@ export function readRawBody<E extends Encoding = "utf8">( if ( !Number.parseInt(event.node.req.headers["content-length"] || "") && - !String(event.node.req.headers["transfer-encoding"] ?? "") - .split(",") - .map((e) => e.trim()) - .filter(Boolean) - .includes("chunked") + !/\bchunked\b/i.test( + String(event.node.req.headers["transfer-encoding"] ?? ""), + ) ) { return Promise.resolve(undefined); }
test/body.test.ts+36 −0 modified@@ -94,6 +94,42 @@ describe("body", () => { expect(await result.body.text()).toBe("200"); }); + it("handles case-insensitive Transfer-Encoding: chunked header (CVE)", async () => { + // Test that Transfer-Encoding header check is case-insensitive per RFC 7230 + // This prevents HTTP Request Smuggling via TE.TE desynchronization attacks + + const testCases = [ + { encoding: "ChunKed", expected: '{"test":"data"}' }, + { encoding: "CHUNKED", expected: '{"test":"data"}' }, + { encoding: "Chunked", expected: '{"test":"data"}' }, + ]; + + for (const testCase of testCases) { + // Simulate a raw HTTP request with mixed-case Transfer-Encoding + const mockReq = { + method: "POST", + headers: { "transfer-encoding": testCase.encoding }, + on(event: string, handler: (chunk?: Buffer) => void) { + if (event === "data") { + // Simulate chunked data arrival + handler(Buffer.from(testCase.expected)); + } else if (event === "end") { + handler(); + } + return this; + }, + }; + + const mockEvent = { method: "POST", node: { req: mockReq } }; + + const result = await readRawBody(mockEvent as any); + + // Should properly read the body regardless of Transfer-Encoding case + // If the check is case-sensitive, this will fail and return undefined + expect(result).toEqual(testCase.expected); + } + }); + it("returns an empty string if body is empty", async () => { let _body: string | undefined = "initial"; app.use(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097nvdPatchWEB
- github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cgnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-mp2g-9vg9-f4cgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23527ghsaADVISORY
- github.com/h3js/h3/releases/tag/v1.15.5nvdWEB
- simonkoeck.com/writeups/h3-transfer-encoding-request-smugglingnvdWEB
News mentions
0No linked articles in our index yet.