CVE-2026-33490

Name of the Vulnerable Software and Affected Versions h3 versions 2.0.0-0 through 2.0.1-rc.16

Description The mount() method in h3 uses a simple startsWith() check to determine if incoming requests fall under a mounted sub-application's path prefix. This check does not verify a path segment boundary, meaning that middleware registered on a mount like /admin will also execute for unrelated routes such as /admin-public, /administrator, or /adminstuff. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. The withoutBase() utility also produces incorrect paths when the input shares only a string prefix, potentially causing routing errors. This issue can lead to context pollution across mount boundaries, authorization bypass, and path mangling.

Recommendations Versions prior to 2.0.2-rc.17 are affected. Apply the fix to src/h3.ts:127 to add a segment boundary check after the startsWith call. Apply the fix to src/utils/internal/path.ts:40 to add a segment boundary check after the startsWith call.