H3
CVE-2026-23527
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 npm packages depend on h3 (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.15.5.
DescriptionGitHub Advisory
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
AnalysisAI
HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.
Technical ContextAI
Classified as CWE-444 (HTTP Request/Response Smuggling). Affects H3. H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 1.15.5.. Restrict network access to the affected service where possible.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mp2g-9vg9-f4cg