VYPR

npm package

h3

pkg:npm/h3

Vulnerabilities (5)

  • CVE-2026-33490LowMar 26, 2026
    affected >= 2.0.1-alpha.0, < 2.0.1-rc.17fixed 2.0.1-rc.17

    H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment bo

  • CVE-2026-33131Mar 20, 2026
    affected >= 2.0.0-0, < 2.0.1-rc.15fixed 2.0.1-rc.15

    H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a loggin

  • CVE-2026-33129Mar 20, 2026
    affected >= 2.0.0-beta.0, < 2.0.1-rc.9fixed 2.0.1-rc.9

    H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by

  • CVE-2026-33128Mar 20, 2026
    affected >= 2.0.0, < 2.0.1-rc.15fixed 2.0.1-rc.15

    H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker

  • CVE-2026-23527HigJan 15, 2026
    affected < 1.15.5fixed 1.15.5

    H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per