Skip to main content

H3 CVE-2026-23527

HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-01-15 security-advisories@github.com GHSA-mp2g-9vg9-f4cg
8.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Red Hat
8.9 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 23, 2026 - 18:50 vuln.today
Public exploit code
Patch released
Jan 23, 2026 - 18:50 nvd
Patch available
CVE Published
Jan 15, 2026 - 20:16 nvd
HIGH 8.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on h3 (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.15.5.

DescriptionGitHub Advisory

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

AnalysisAI

HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.

Technical ContextAI

Classified as CWE-444 (HTTP Request/Response Smuggling). Affects H3. H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.15.5.. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-23527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy