H3Js H3 vulnerabilities
5 known vulnerabilities affecting h3js/h3.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-33128P2CRITICALCVSS 10.0v>= 2.0.0, < 2.0.1-rc.15fixed in 1.15.62026-03-20
CVE-2026-33128 [CRITICAL] CWE-93 CVE-2026-33128: H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14,
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or co
nvd
CVE-2026-33131P3CRITICALCVSS 9.1v>= 2.0.0-0, < 2.0.1-rc.152026-03-20
CVE-2026-33131 [CRITICAL] CWE-290 CVE-2026-33131: H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofin
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, i
nvd
CVE-2026-23527P3CRITICALCVSS 9.8fixed in 1.15.52026-01-15
CVE-2026-23527 [CRITICAL] CWE-444 CVE-2026-23527: H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is
nvd
CVE-2026-33129P4MEDIUMCVSS 5.9v>= 2.0.1-beta.0, < 2.0.1-rc.92026-03-20
CVE-2026-33129 [MEDIUM] CWE-208 CVE-2026-33129: H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Cha
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password c
nvd
CVE-2026-33490P4MEDIUMCVSS 5.3v>= 2.0.1-alpha.0, < 2.0.1-rc.172026-03-26
CVE-2026-33490 [MEDIUM] CWE-706 CVE-2026-33490: H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h
H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-s
nvd