CVE-2026-23527

HIGH8.9EPSS 0.04%

h3 v1 has Request Smuggling (TE.TE) issue

發布日:2026/1/15修改日:2026/4/13
也稱為:GHSA-mp2g-9vg9-f4cg

描述

I was digging into h3 v1 (specifically v1.15.4) and found a critical HTTP Request Smuggling vulnerability. Basically, `readRawBody` is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. **The Bug**: If I send a request with Transfer-Encoding: ChuNked (mixed case), h3 misses it. Since it doesn't see "chunked" and there's no Content-Length, it assumes the body is empty and processes the request immediately. This leaves the actual body sitting on the socket, which triggers a classic TE.TE Desync (Request Smuggling) if the app is running behind a Layer 4 proxy or anything that doesn't normalize headers (like AWS NLB or Node proxies). **Vulnerable Code** (`src/utils/body.ts`): ```js if ( !Number.parseInt(event.node.req.headers["content-length"] || "") && !String(event.node.req.headers["transfer-encoding"] ?? "") .split(",") .map((e) => e.trim()) .filter(Boolean) .includes("chunked") // <--- This is the issue. "ChuNkEd" returns false here. ) { return Promise.resolve(undefined); } ``` I verified this locally: - Sent a `Transfer-Encoding: ChunKed` request without a closing 0 chunk. - Express hangs (correctly waiting for data). - h3 responds immediately (vulnerable, thinks body is length 0). **Impact**: Since H3/Nuxt/Nitro is often used in containerized setups behind TCP load balancers, an attacker can use this to smuggle requests past WAFs or desynchronize the socket to poison other users' connections. **Fix**: Just need to normalize the header value before checking: ` .map((e) => e.trim().toLowerCase())`

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH8.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

參考連結(6)