npm package
h3
pkg:npm/h3
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33490 | Low | 3.7 | >= 2.0.1-alpha.0, < 2.0.1-rc.17 | 2.0.1-rc.17 | Mar 26, 2026 | H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment bo | |
| CVE-2026-33131 | — | >= 2.0.0-0, < 2.0.1-rc.15 | 2.0.1-rc.15 | Mar 20, 2026 | H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a loggin | ||
| CVE-2026-33129 | — | >= 2.0.0-beta.0, < 2.0.1-rc.9 | 2.0.1-rc.9 | Mar 20, 2026 | H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by | ||
| CVE-2026-33128 | — | >= 2.0.0, < 2.0.1-rc.15 | 2.0.1-rc.15 | Mar 20, 2026 | H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker | ||
| CVE-2026-23527 | Hig | 8.9 | < 1.15.5 | 1.15.5 | Jan 15, 2026 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per |
- affected >= 2.0.1-alpha.0, < 2.0.1-rc.17fixed 2.0.1-rc.17
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment bo
- CVE-2026-33131Mar 20, 2026affected >= 2.0.0-0, < 2.0.1-rc.15fixed 2.0.1-rc.15
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a loggin
- CVE-2026-33129Mar 20, 2026affected >= 2.0.0-beta.0, < 2.0.1-rc.9fixed 2.0.1-rc.9
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by
- CVE-2026-33128Mar 20, 2026affected >= 2.0.0, < 2.0.1-rc.15fixed 2.0.1-rc.15
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker
- affected < 1.15.5fixed 1.15.5
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per