{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T10:16:29.556Z", "dateUpdated": "2026-03-20T11:25:53.880Z"}, "containers": {"cna": {"title": "h3 has a middleware bypass with one gadget", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.0-0, < 2.0.1-rc.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:16:29.556Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}], "source": {"advisory": "GHSA-3vj8-jmxq-cgj5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:25:14.200826Z", "id": "CVE-2026-33131", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:25:53.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33131", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T11:25:14.200826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:25:38.802Z"}}], "cna": {"title": "h3 has a middleware bypass with one gadget", "source": {"advisory": "GHSA-3vj8-jmxq-cgj5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.0-0, < 2.0.1-rc.15"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "name": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T10:16:29.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33131", "state": "PUBLISHED", "dateUpdated": "2026-03-20T11:25:53.880Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T10:16:29.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue."}], "id": "CVE-2026-33131", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T11:18:02.700", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T11:20:47.367824+00:00", "value": {"mitigation_remediation": ["Upgrade H3 to version 2.0.1\u2011rc.15 or later, which contains the patch for the Host header spoofing issue."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation / Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All applications built on H3, including Nitro and Nuxt, that use the vulnerable 2.0.0\u20110 up to 2.0.1\u2011rc.14 releases and that access event.url properties in middleware guarding sensitive routes are affected. The official patch for the issue is included in H3 version 2.0.1\u2011rc.15.", "description_and_impact": "H3 is a lightweight HTTP framework used by applications such as Nitro and Nuxt. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl component, which extends FastURL. When a middleware queries event.url, event.url.hostname, or event.url._url, the underlying _url getter creates a URL object from user\u2011controlled data that includes the Host header. Because the router resolves route handlers before running middleware, an attacker can supply a crafted Host header (for example, Host: localhost:3000/abchehe?) to cause a middleware path check to fail while the route handler still matches. This allows attackers to bypass authentication or authorization middleware and access protected routes. The vulnerability is classified as CWE\u2011290 Confidence Spoofing.", "risk_and_exploitability": "The CVSS score for this vulnerability is 7.4, indicating a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The threat model relies on an attacker being able to send HTTP requests with a malicious Host header to the target application. The exploit can be performed without additional credentials or prior compromise, and because the routing occurs before middleware execution, the attack can subvert protection mechanisms with no need for client\u2011side actions. This makes the vulnerability both actionable and potentially impactful for any exposed H3 instance."}}}}, "created": "2026-03-20T14:13:45.910276+00:00", "updated": "2026-03-20T14:13:45.910302+00:00", "vendors": []}