CVE-2026-33131 in h3js
Summary
by MITRE • 03/20/2026
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses event.url properties in middleware guarding sensitive routes. The issue requires an immediate fix to prevent FastURL.href from being constructed with unsanitized, attacker-controlled input. Version 2.0.1-rc.15 contains a patch for this issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-33131 represents a critical host header spoofing weakness within the H3 framework, a minimal HTTP framework designed for building web applications. This flaw exists specifically in versions ranging from 2.0.0-0 through 2.0.1-rc.14 and affects the NodeRequestUrl class which extends FastURL functionality. The core issue stems from improper sanitization of user-controlled host header data during URL construction processes, creating a pathway for malicious actors to manipulate application behavior through crafted HTTP requests.
The technical implementation of this vulnerability occurs when middleware components attempt to access event.url properties such as event.url, event.url.hostname, or event.url._url within logging or security middleware functions. During these operations, the _url getter method constructs a URL using untrusted data that includes the attacker-controlled Host header. This design flaw allows for path traversal manipulation where an attacker can craft a malicious Host header value such as Host: localhost:3000/abchehe? to exploit the framework's routing mechanism. The vulnerability exploits a fundamental architectural weakness where the router resolves route handlers before middleware execution occurs, creating a window where authentication and authorization checks can be bypassed while still allowing legitimate route processing to continue.
The operational impact of this vulnerability extends across all applications built on the H3 framework including those utilizing Nitro and Nuxt frameworks, making it particularly dangerous for widespread deployment environments. When middleware components access event.url properties to implement security controls or route validation, the attacker can effectively bypass these protections by manipulating the Host header value. This creates a scenario where an attacker could gain unauthorized access to protected routes or resources that should be restricted to authenticated users or specific authorization levels. The vulnerability essentially allows for a form of middleware bypass that operates at the HTTP protocol level rather than application logic level, making it particularly insidious and difficult to detect through standard application security measures.
Security practitioners should understand that this vulnerability aligns with CWE-601 and CWE-284 categories, representing both URL redirection issues and improper access control mechanisms respectively. The ATT&CK framework would classify this as a privilege escalation technique using protocol manipulation, specifically under T1071.004 for application layer protocol and T1499.004 for unauthorized access. The root cause requires immediate remediation by ensuring that FastURL.href construction processes no longer accept unsanitized attacker-controlled input, particularly from Host headers. The fix implemented in version 2.0.1-rc.15 addresses the core issue by properly sanitizing the host header data before URL construction, thereby preventing the injection of malicious path components that could otherwise be used to bypass security controls.
Organizations utilizing frameworks built on H3 should prioritize immediate upgrade to version 2.0.1-rc.15 or later to mitigate this vulnerability. Security teams should also implement monitoring for suspicious Host header patterns and conduct thorough code reviews to identify any custom middleware components that might be accessing event.url properties without proper input validation. Additionally, defensive measures should include implementing proper input sanitization at the application level and establishing network-level controls to detect and block malformed Host headers that could be used in similar exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation in web frameworks, particularly when dealing with HTTP headers that are traditionally considered trusted by application logic.