CVE-2026-33131

Name of the Vulnerable Software and Affected Versions H3 versions 2.0.0-0 through 2.0.1-rc.14

Description H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing issue in the NodeRequestUrl (which extends FastURL) that allows bypassing middleware. When event.url, event.url.hostname, or event.url. url is accessed, such as in logging middleware, the url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3’s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue arises because the FastURL.href is constructed with unsanitized, attacker-controlled input. The url() function within the FastURL class is triggered when accessing properties like event.url, leading to the construction of a URL using the potentially manipulated Host header. This allows an attacker to overwrite the event.url and bypass middleware checks.

Recommendations Update to H3 version 2.0.1-rc.15 or later.