h3 Framework Request Smuggling Vulnerability (CVE-2026-23527) Analysis and Fix

Vulnerability Summary: h3 Framework Request Smuggling Vulnerability Overview Vulnerability Name: h3 Framework Request Smuggling Vulnerability CVE ID: CVE-2026-23527 GHSA ID: GHSA-m2g9-9vg9-f4cg CVSS Score: 8.9 Severity: HIGH Discovery Date: 2026-01-15 Fix Date: 2026-01-15 Affected Versions: h3 < v1.5.5 Vulnerability Details The h3 framework has a case-sensitive issue when checking the header while processing HTTP request bodies. According to RFC 7230, the value should be compared in a case-insensitive manner, but h3 uses a case-sensitive check with . When an attacker sends (capitalized first letter), h3 fails to recognize chunked encoding and assumes there is no request body, immediately returning a response without consuming the request data. However, the front-end reverse proxy correctly identifies chunked encoding, leaving the request body data in the connection buffer, which is then read by the next request, resulting in request smuggling. Impact Scope All Nuxt and Nitro applications using the h3 framework h3 applications deployed behind a reverse proxy Potential impacts include: - Bypassing WAF protection - Response pollution between users - Authentication bypass - Sensitive data leakage Remediation In commit , the original case-sensitive check was replaced with a case-insensitive regular expression: Fixed code: POC Code Example of a malicious request sent by an attacker: Where: is the chunk size in hexadecimal is the data content marks the final chunk

Goal Reached Thanks to every supporter — we hit 100%!

h3 Framework Request Smuggling Vulnerability (CVE-2026-23527) Analysis and Fix