{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T10:16:29.556Z", "dateUpdated": "2026-03-20T11:25:53.880Z"}, "containers": {"cna": {"title": "h3 has a middleware bypass with one gadget", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.0-0, < 2.0.1-rc.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:16:29.556Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}], "source": {"advisory": "GHSA-3vj8-jmxq-cgj5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:25:14.200826Z", "id": "CVE-2026-33131", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:25:53.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33131", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T11:25:14.200826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:25:38.802Z"}}], "cna": {"title": "h3 has a middleware bypass with one gadget", "source": {"advisory": "GHSA-3vj8-jmxq-cgj5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.0-0, < 2.0.1-rc.15"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "name": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:16:29.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33131", "state": "PUBLISHED", "dateUpdated": "2026-03-20T11:25:53.880Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:16:29.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*", "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.0-0 hasta 2.0.1-rc.14 contienen una vulnerabilidad de suplantaci\u00f3n de encabezado Host en NodeRequestUrl (que extiende FastURL) que permite el bypass de middleware. Cuando se accede a event.url, event.url.hostname, o event.url._url, como en un middleware de registro, el gestor de acceso _url construye una URL a partir de datos no confiables, incluyendo el encabezado Host controlado por el usuario. Debido a que el router de H3 resuelve el gestor de ruta antes de que se ejecute el middleware, un atacante puede proporcionar un encabezado Host manipulado (p. ej., Host: localhost:3000/abchehe?) para hacer que la verificaci\u00f3n de ruta del middleware falle mientras el gestor de ruta a\u00fan coincide, eludiendo efectivamente el middleware de autenticaci\u00f3n o autorizaci\u00f3n. Esto afecta a cualquier aplicaci\u00f3n construida sobre H3 (incluyendo Nitro/Nuxt) que acceda a las propiedades de event.url en middleware que protege rutas sensibles. El problema requiere una soluci\u00f3n inmediata para evitar que FastURL.href se construya con entrada no saneada y controlada por el atacante. La versi\u00f3n 2.0.1-rc.15 contiene un parche para este problema."}], "id": "CVE-2026-33131", "lastModified": "2026-03-20T19:45:14.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T11:18:02.700", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-0,2.0.1-rc.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "h3", "source": "cna", "vendor": "h3js"}, "product": "h3", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-03-20T21:25:13.052641+00:00", "value": {"mitigation_remediation": ["Upgrade to h3 version 2.0.1\u2011rc.15 or later, which contains a patch for the vulnerability.", "If an upgrade is not immediately possible, remove any use of event.url, event.url.hostname, or event.url._url from authentication or authorization middleware, or sanitize the Host header before it is used in URL construction.", "Implement an explicit Host header validation step to ensure the value matches the expected domain and port before using it to build URLs.", "Monitor incoming requests for unusual Host header values and alert on repeated attempts to use malformed headers."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the H3 JavaScript framework from 2.0.0\u20110 through 2.0.1\u2011rc.14 affect any Node.js application that uses event.url properties in middleware, including frameworks built on H3 such as Nitro or Nuxt. The affected artifacts are listed by CPE as h3 h3 2.0.0 to 2.0.1\u2011rc.14 for Node\u00a0JavaScript.", "description_and_impact": "The vulnerability is a host header spoofing flaw in the NodeRequestUrl component of the H3 framework that allows an attacker to craft a Host header to cause the middleware path check to fail while the route handler still processes the request. This permits the bypass of authentication or authorization checks implemented in middleware, resulting in unauthorized access to protected routes. The weakness is classified as CWE\u2011290. No execution of arbitrary code is possible, but the effect is a privilege escalation within the application.", "risk_and_exploitability": "The CVSS base score is 7.4, indicating high severity. The EPSS score is below 1\u202f%, suggesting a low current exploitation probability, and the vulnerability is not in the CISA KEV catalog. An attacker must control the Host header of an HTTP request which is typically achievable when the target is exposed to arbitrary clients, such as a public web server. The vulnerability can be exploited by sending a request with a crafted Host header that includes a path component; the framework will then process the route handler but skip the middleware guard, allowing unauthorized access."}}}}, "created": "2026-03-20T14:13:45.910276+00:00", "updated": "2026-03-25T14:29:34.867231+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}