{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23527", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.981Z", "datePublished": "2026-01-15T19:24:20.514Z", "dateUpdated": "2026-04-13T16:48:19.873Z"}, "containers": {"cna": {"title": "h3 v1 has Request Smuggling (TE.TE) issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"}, {"name": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097"}, {"name": "https://github.com/h3js/h3/releases/tag/v1.15.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/releases/tag/v1.15.5"}, {"name": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling", "tags": ["x_refsource_MISC"], "url": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": "< 1.15.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T16:48:19.873Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}], "source": {"advisory": "GHSA-mp2g-9vg9-f4cg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:59:57.020909Z", "id": "CVE-2026-23527", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:00:06.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T19:59:57.020909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:59:59.151Z"}}], "cna": {"title": "h3 v1 has Request Smuggling (TE.TE) issue", "source": {"advisory": "GHSA-mp2g-9vg9-f4cg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": "< 1.15.5"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "name": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "name": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/h3/releases/tag/v1.15.5", "name": "https://github.com/h3js/h3/releases/tag/v1.15.5", "tags": ["x_refsource_MISC"]}, {"url": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling", "name": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T16:48:19.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23527", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:48:19.873Z", "dateReserved": "2026-01-13T18:22:43.981Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T19:24:20.514Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8AEE0C29-3BA5-4765-82CB-0CE73ACCEB77", "versionEndExcluding": "1.15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo dise\u00f1ado para alto rendimiento y portabilidad. Antes de 1.15.5, existe una vulnerabilidad cr\u00edtica de contrabando de solicitudes HTTP. readRawBody realiza una comprobaci\u00f3n estricta sensible a may\u00fasculas y min\u00fasculas para el encabezado Transfer-Encoding. Busca expl\u00edcitamente 'chunked', pero seg\u00fan la RFC, este encabezado deber\u00eda ser insensible a may\u00fasculas y min\u00fasculas. Esta vulnerabilidad est\u00e1 corregida en 1.15.5."}], "id": "CVE-2026-23527", "lastModified": "2026-04-13T17:16:27.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-15T20:16:05.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097"}, {"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/releases/tag/v1.15.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"}, {"source": "security-advisories@github.com", "url": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "h3: h3: HTTP Request Smuggling due to improper case-sensitive parsing of Transfer-Encoding header", "id": "2430110", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430110"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in h3, a minimal HTTP (Hypertext Transfer Protocol) framework. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request where the Transfer-Encoding header uses a case variation of \"chunked\". The readRawBody function performs a strict case-sensitive check for this header, which violates the RFC standard requiring case-insensitivity. This improper parsing can lead to HTTP Request Smuggling, potentially allowing attackers to bypass security controls, poison web caches, or conduct other malicious activities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23527", "public_date": "2026-01-15T19:24:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23527\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23527\nhttps://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097\nhttps://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"], "statement": "This vulnerability is rated Important for Red Hat products as it affects the h3 HTTP framework, which is used in Fedora 42 and 43. A remote attacker can exploit this flaw by sending a specially crafted HTTP request with a case-variant `Transfer-Encoding` header, leading to HTTP Request Smuggling. This can enable attackers to bypass security controls and poison web caches.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-15T15:51:46.502415+00:00", "value": {"mitigation_remediation": ["Upgrade the h3 dependency to version 1.15.5 or later, which incorporates the case-insensitive Transfer-Encoding handling fix.", "If upgrading is not immediately possible, modify the readRawBody function to accept any capitalization of the Transfer-Encoding header value before processing.", "After applying the change, run request-smuggling test cases and monitor server logs for anomalous Transfer-Encoding headers to confirm the vulnerability is resolved."], "summary": {"action": "Apply Latest Patch", "impact": "HTTP Request Smuggling via case-sensitive Transfer-Encoding header handling"}, "threat_synthesis": {"affected_systems": "The affected product is the h3 framework from h3js, intended for Node.js environments. All releases earlier than version 1.15.5 are impacted; the issue was rectified in that release.", "description_and_impact": "The vulnerability arises because the framework\u2019s body parsing logic verifies the Transfer-Encoding header strictly for the value \"chunked\" with case sensitivity, whereas the HTTP specification dictates header names and values are case-insensitive. An attacker can send a header with differing capitalization to trick the parser into processing a second, smuggled request that the application ignores or treats differently, potentially allowing injection or bypass of application logic. This flaw is categorized as a critical request smuggling flaw that can undermine request integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 8.9 indicates a high severity, yet the EPSS score is below 1% suggesting a low likelihood of active exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog, which further reduces the immediate threat. Attackers would need network access to the vulnerable server and the ability to craft HTTP requests with custom Transfer-Encoding header values. If they succeed, the attack can lead to hidden data delivery, session hijacking, or denial of service."}}}}, "created": "2026-01-16T13:43:08.654206+00:00", "updated": "2026-04-15T18:15:10.861268+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}