CVE-2026-33131
published 2026-03-20CVE-2026-33131: H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends…
PriorityP356critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.39%
30.7th percentile
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3 | h3 | — | — |
| h3 | h3 | — | — |
| h3 | h3 | >= 2.0.0-0 < 2.0.1-rc.15 | 2.0.1-rc.15 |
| h3js | h3 | — | — |
| srvx | srvx | >= 0 < 0.11.13 | 0.11.13 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
srvx is vulnerable to middleware bypass via absolute URI in request line
osv·2026-03-26·CVSS 9.1
CVE-2026-33732 [CRITICAL] srvx is vulnerable to middleware bypass via absolute URI in request line
srvx is vulnerable to middleware bypass via absolute URI in request line
## Summary
A pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`).
## Details
When Node.js receives an absolute URI in the request line (e.g. `GET file://hehe?/internal/run HTTP/1.1`), `req.url` is set verbatim to `file://hehe?/internal/run`. Since this doesn't start with `/`, `NodeRequestURL` passes it directly to `FastURL` as a string, which stores it in `#href` for lazy manual parsing.
`FastURL#getPos()` locates the pathname by finding `://` then scanning for the next `/` — but this fails for URLs like `file://hehe?/internal/run` where a `?` appears before the first `/` after the
GHSA
srvx is vulnerable to middleware bypass via absolute URI in request line
ghsa·2026-03-26·CVSS 9.1
CVE-2026-33732 [CRITICAL] CWE-706 srvx is vulnerable to middleware bypass via absolute URI in request line
srvx is vulnerable to middleware bypass via absolute URI in request line
## Summary
A pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`).
## Details
When Node.js receives an absolute URI in the request line (e.g. `GET file://hehe?/internal/run HTTP/1.1`), `req.url` is set verbatim to `file://hehe?/internal/run`. Since this doesn't start with `/`, `NodeRequestURL` passes it directly to `FastURL` as a string, which stores it in `#href` for lazy manual parsing.
`FastURL#getPos()` locates the pathname by finding `://` then scanning for the next `/` — but this fails for URLs like `file://hehe?/internal/run` where a `?` appears before the first `/` after the
OSV
h3 has a middleware bypass with one gadget
osv·2026-03-18
CVE-2026-33131 [HIGH] h3 has a middleware bypass with one gadget
h3 has a middleware bypass with one gadget
# H3 NodeRequestUrl bugs
Vulnerable pieces of code :
```js
import { H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler } from "h3";
let app = new H3()
const internalOnly = defineHandler((event, next) => {
const token = event.headers.get("x-internal-key");
if (token !== "SUPERRANDOMCANNOTBELEAKED") {
return new Response("Forbidden", { status: 403 });
}
return next();
});
const logger = defineHandler((event, next) => {
console.log("Logging : " + event.url.hostname)
return next()
})
app.use(logger);
app.use("/internal/run", internalOnly);
app.get("/internal/run", () => {
return "Internal OK";
});
serve(app, { port: 3001 });
```
The middleware is super safe now with just a logger and a middleware to block internal acc
GHSA
h3 has a middleware bypass with one gadget
ghsa·2026-03-18
CVE-2026-33131 [HIGH] CWE-290 h3 has a middleware bypass with one gadget
h3 has a middleware bypass with one gadget
# H3 NodeRequestUrl bugs
Vulnerable pieces of code :
```js
import { H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler } from "h3";
let app = new H3()
const internalOnly = defineHandler((event, next) => {
const token = event.headers.get("x-internal-key");
if (token !== "SUPERRANDOMCANNOTBELEAKED") {
return new Response("Forbidden", { status: 403 });
}
return next();
});
const logger = defineHandler((event, next) => {
console.log("Logging : " + event.url.hostname)
return next()
})
app.use(logger);
app.use("/internal/run", internalOnly);
app.get("/internal/run", () => {
return "Internal OK";
});
serve(app, { port: 3001 });
```
The middleware is super safe now with just a logger and a middleware to block internal acc
No detection rules found.
No public exploits indexed.
2026-03-20
Published