CVE-2026-23527

Name of the Vulnerable Software and Affected Versions H3 versions prior to 1.15.5

Description H3 is a minimal H(TTP) framework designed for high performance and portability. A critical HTTP Request Smuggling issue exists due to a case-sensitive check for the 'Transfer-Encoding' header within the readRawBody function. The function specifically looks for "chunked", but the HTTP RFC specifies that this header should be case-insensitive. This allows attackers to desynchronize sockets by using mixed-case 'Transfer-Encoding' headers, potentially bypassing security controls and leading to request smuggling. The vulnerable code is located in src/utils/body.ts. The issue occurs because the code does not normalize the header value before checking, causing it to miss 'Transfer-Encoding' headers with mixed casing (e.g., 'ChuNked'). This can lead to the application responding immediately while the actual body remains on the socket, triggering a TE.TE desync. This is particularly impactful in containerized setups behind TCP load balancers, where attackers can smuggle requests past Web Application Firewalls (WAFs) or poison other users' connections.

Recommendations Versions prior to 1.15.5 should be updated to version 1.15.5 or later.